Adjust Auth on server (#15)

* add auth that verifies identity is marked online

* few changes for testing

* handle identity with requirements

* remove unnecessary logging from auth handler

* change to UserRequirements

* fixes to checks

* fixes to UserRequirementHandler

Co-authored-by: rootdarkarchon <root.darkarchon@outlook.com>

MareSynchronosServer/MareSynchronosServer/RequirementHandlers/UserRequirement.cs

@@ -0,0 +1,13 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace MareSynchronosServer.RequirementHandlers;
+
+public class UserRequirement : IAuthorizationRequirement
+{
+    public UserRequirement(UserRequirements requirements)
+    {
+        Requirements = requirements;
+    }
+
+    public UserRequirements Requirements { get; }
+}

MareSynchronosServer/MareSynchronosServer/RequirementHandlers/UserRequirementHandler.cs

@@ -0,0 +1,59 @@
+using System.Threading.Tasks;
+using System;
+using System.Linq;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.SignalR;
+using MareSynchronosShared.Data;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.Logging;
+using MareSynchronosServer.Services;
+
+namespace MareSynchronosServer.RequirementHandlers;
+
+public class UserRequirementHandler : AuthorizationHandler<UserRequirement, HubInvocationContext>
+{
+    private readonly GrpcClientIdentificationService identClient;
+    private readonly MareDbContext dbContext;
+    private readonly ILogger<UserRequirementHandler> logger;
+
+    public UserRequirementHandler(GrpcClientIdentificationService identClient, MareDbContext dbContext, ILogger<UserRequirementHandler> logger)
+    {
+        this.identClient = identClient;
+        this.dbContext = dbContext;
+        this.logger = logger;
+    }
+
+    protected override async Task HandleRequirementAsync(AuthorizationHandlerContext context, UserRequirement requirement, HubInvocationContext resource)
+    {
+        var uid = context.User.Claims.SingleOrDefault(g => string.Equals(g.Type, ClaimTypes.NameIdentifier, StringComparison.Ordinal))?.Value;
+        var auth = context.User.Claims.SingleOrDefault(g => string.Equals(g.Type, ClaimTypes.Authentication, StringComparison.Ordinal))?.Value;
+
+        if (uid == null || auth == null) context.Fail();
+
+        if ((requirement.Requirements & UserRequirements.Identified) is UserRequirements.Identified)
+        {
+            var ident = identClient.GetCharacterIdentForUid(uid);
+            if (ident == null) context.Fail();
+
+            var isOnCurrent = identClient.IsOnCurrentServer(uid);
+            if (!isOnCurrent) identClient.MarkUserOnline(uid, ident);
+        }
+
+        if ((requirement.Requirements & UserRequirements.Administrator) is UserRequirements.Administrator)
+        {
+            var user = await dbContext.Users.AsNoTracking().SingleOrDefaultAsync(b => b.UID == uid).ConfigureAwait(false);
+            if (user == null || !user.IsAdmin) context.Fail();
+            logger.LogInformation("Admin {uid} authenticated", uid);
+        }
+
+        if ((requirement.Requirements & UserRequirements.Moderator) is UserRequirements.Moderator)
+        {
+            var user = await dbContext.Users.AsNoTracking().SingleOrDefaultAsync(b => b.UID == uid).ConfigureAwait(false);
+            if (user == null || !user.IsAdmin && !user.IsModerator) context.Fail();
+            logger.LogInformation("Admin/Moderator {uid} authenticated", uid);
+        }
+
+        context.Succeed(requirement);
+    }
+}

MareSynchronosServer/MareSynchronosServer/RequirementHandlers/UserRequirements.cs

@@ -0,0 +1,8 @@
+namespace MareSynchronosServer.RequirementHandlers;
+
+public enum UserRequirements
+{
+    Identified = 0b00000001,
+    Moderator = 0b00000010,
+    Administrator = 0b00000100
+}