some refactoring

MareSynchronosServer/MareSynchronosAuthService/Authentication/SecretKeyAuthReply.cs

@@ -0,0 +1,3 @@
+namespace MareSynchronosAuthService.Authentication;
+
+public record SecretKeyAuthReply(bool Success, string Uid, string PrimaryUid, string Alias, bool TempBan, bool Permaban);

MareSynchronosServer/MareSynchronosAuthService/Authentication/SecretKeyFailedAuthorization.cs

@@ -0,0 +1,12 @@
+namespace MareSynchronosAuthService.Authentication;
+
+internal record SecretKeyFailedAuthorization
+{
+    private int failedAttempts = 1;
+    public int FailedAttempts => failedAttempts;
+    public Task ResetTask { get; set; }
+    public void IncreaseFailedAttempts()
+    {
+        Interlocked.Increment(ref failedAttempts);
+    }
+}

MareSynchronosServer/MareSynchronosAuthService/Controllers/JwtController.cs

@@ -0,0 +1,223 @@
+using MareSynchronos.API.Routes;
+using MareSynchronosAuthService.Services;
+using MareSynchronosShared;
+using MareSynchronosShared.Data;
+using MareSynchronosShared.Models;
+using MareSynchronosShared.Services;
+using MareSynchronosShared.Utils;
+using MareSynchronosShared.Utils.Configuration;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.IdentityModel.Tokens;
+using StackExchange.Redis.Extensions.Core.Abstractions;
+using System.Globalization;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+
+namespace MareSynchronosAuthService.Controllers;
+
+[AllowAnonymous]
+[Route(MareAuth.Auth)]
+public class JwtController : Controller
+{
+    private readonly ILogger<JwtController> _logger;
+    private readonly IHttpContextAccessor _accessor;
+    private readonly IConfigurationService<AuthServiceConfiguration> _configuration;
+    private readonly MareDbContext _mareDbContext;
+    private readonly IRedisDatabase _redis;
+    private readonly GeoIPService _geoIPProvider;
+    private readonly SecretKeyAuthenticatorService _secretKeyAuthenticatorService;
+
+    public JwtController(ILogger<JwtController> logger,
+        IHttpContextAccessor accessor, MareDbContext mareDbContext,
+        SecretKeyAuthenticatorService secretKeyAuthenticatorService,
+        IConfigurationService<AuthServiceConfiguration> configuration,
+        IRedisDatabase redisDb, GeoIPService geoIPProvider)
+    {
+        _logger = logger;
+        _accessor = accessor;
+        _redis = redisDb;
+        _geoIPProvider = geoIPProvider;
+        _mareDbContext = mareDbContext;
+        _secretKeyAuthenticatorService = secretKeyAuthenticatorService;
+        _configuration = configuration;
+    }
+
+    [AllowAnonymous]
+    [HttpPost(MareAuth.Auth_CreateIdent)]
+    public async Task<IActionResult> CreateToken(string auth, string charaIdent)
+    {
+        return await AuthenticateInternal(auth, charaIdent).ConfigureAwait(false);
+    }
+
+    [Authorize(Policy = "Authenticated")]
+    [HttpGet("renewToken")]
+    public async Task<IActionResult> RenewToken()
+    {
+        try
+        {
+            var uid = HttpContext.User.Claims.Single(p => string.Equals(p.Type, MareClaimTypes.Uid, StringComparison.Ordinal))!.Value;
+            var ident = HttpContext.User.Claims.Single(p => string.Equals(p.Type, MareClaimTypes.CharaIdent, StringComparison.Ordinal))!.Value;
+            var alias = HttpContext.User.Claims.SingleOrDefault(p => string.Equals(p.Type, MareClaimTypes.Alias))?.Value ?? string.Empty;
+
+            if (await _mareDbContext.Auth.Where(u => u.UserUID == uid || u.PrimaryUserUID == uid).AnyAsync(a => a.IsBanned))
+            {
+                await EnsureBan(uid, ident);
+
+                return Unauthorized("You are permanently banned.");
+            }
+
+            if (await IsIdentBanned(uid, ident))
+            {
+                return Unauthorized("Your character is banned from using the service.");
+            }
+
+            _logger.LogInformation("RenewToken:SUCCESS:{id}:{ident}", uid, ident);
+            return await CreateJwtFromId(uid, ident, alias);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogError(ex, "RenewToken:FAILURE");
+            return Unauthorized("Unknown error while renewing authentication token");
+        }
+    }
+
+    private async Task<IActionResult> AuthenticateInternal(string auth, string charaIdent)
+    {
+        try
+        {
+            if (string.IsNullOrEmpty(auth)) return BadRequest("No Authkey");
+            if (string.IsNullOrEmpty(charaIdent)) return BadRequest("No CharaIdent");
+
+            var ip = _accessor.GetIpAddress();
+
+            var authResult = await _secretKeyAuthenticatorService.AuthorizeAsync(ip, auth);
+
+            if (await IsIdentBanned(authResult.Uid, charaIdent))
+            {
+                _logger.LogWarning("Authenticate:IDENTBAN:{id}:{ident}", authResult.Uid, charaIdent);
+                return Unauthorized("Your character is banned from using the service.");
+            }
+
+            if (!authResult.Success && !authResult.TempBan)
+            {
+                _logger.LogWarning("Authenticate:INVALID:{id}:{ident}", authResult?.Uid ?? "NOUID", charaIdent);
+                return Unauthorized("The provided secret key is invalid. Verify your accounts existence and/or recover the secret key.");
+            }
+            if (!authResult.Success && authResult.TempBan)
+            {
+                _logger.LogWarning("Authenticate:TEMPBAN:{id}:{ident}", authResult.Uid ?? "NOUID", charaIdent);
+                return Unauthorized("Due to an excessive amount of failed authentication attempts you are temporarily banned. Check your Secret Key configuration and try connecting again in 5 minutes.");
+            }
+            if (authResult.Permaban)
+            {
+                await EnsureBan(authResult.Uid, charaIdent);
+
+                _logger.LogWarning("Authenticate:UIDBAN:{id}:{ident}", authResult.Uid, charaIdent);
+                return Unauthorized("You are permanently banned.");
+            }
+
+            var existingIdent = await _redis.GetAsync<string>("UID:" + authResult.Uid);
+            if (!string.IsNullOrEmpty(existingIdent))
+            {
+                _logger.LogWarning("Authenticate:DUPLICATE:{id}:{ident}", authResult.Uid, charaIdent);
+                return Unauthorized("Already logged in to this account. Reconnect in 60 seconds. If you keep seeing this issue, restart your game.");
+            }
+
+            _logger.LogInformation("Authenticate:SUCCESS:{id}:{ident}", authResult.Uid, charaIdent);
+            return await CreateJwtFromId(authResult.Uid, charaIdent, authResult.Alias ?? string.Empty);
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Authenticate:UNKNOWN");
+            return Unauthorized("Unknown internal server error during authentication");
+        }
+    }
+
+    private JwtSecurityToken CreateJwt(IEnumerable<Claim> authClaims)
+    {
+        var authSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(_configuration.GetValue<string>(nameof(MareConfigurationBase.Jwt))));
+
+        var token = new SecurityTokenDescriptor()
+        {
+            Subject = new ClaimsIdentity(authClaims),
+            SigningCredentials = new SigningCredentials(authSigningKey, SecurityAlgorithms.HmacSha256Signature),
+            Expires = new(long.Parse(authClaims.First(f => string.Equals(f.Type, MareClaimTypes.Expires, StringComparison.Ordinal)).Value!, CultureInfo.InvariantCulture), DateTimeKind.Utc),
+        };
+
+        var handler = new JwtSecurityTokenHandler();
+        return handler.CreateJwtSecurityToken(token);
+    }
+
+    private async Task<IActionResult> CreateJwtFromId(string uid, string charaIdent, string alias)
+    {
+        var token = CreateJwt(new List<Claim>()
+        {
+            new Claim(MareClaimTypes.Uid, uid),
+            new Claim(MareClaimTypes.CharaIdent, charaIdent),
+            new Claim(MareClaimTypes.Alias, alias),
+            new Claim(MareClaimTypes.Expires, DateTime.UtcNow.AddHours(6).Ticks.ToString(CultureInfo.InvariantCulture)),
+            new Claim(MareClaimTypes.Continent, await _geoIPProvider.GetCountryFromIP(_accessor))
+        });
+
+        return Content(token.RawData);
+    }
+
+    private async Task EnsureBan(string uid, string charaIdent)
+    {
+        if (!_mareDbContext.BannedUsers.Any(c => c.CharacterIdentification == charaIdent))
+        {
+            _mareDbContext.BannedUsers.Add(new Banned()
+            {
+                CharacterIdentification = charaIdent,
+                Reason = "Autobanned CharacterIdent (" + uid + ")",
+            });
+
+            await _mareDbContext.SaveChangesAsync();
+        }
+
+        var primaryUser = await _mareDbContext.Auth.Include(a => a.User).FirstOrDefaultAsync(f => f.PrimaryUserUID == uid);
+
+        var toBanUid = primaryUser == null ? uid : primaryUser.UserUID;
+
+        var lodestone = await _mareDbContext.LodeStoneAuth.Include(a => a.User).FirstOrDefaultAsync(c => c.User.UID == toBanUid);
+
+        if (lodestone != null)
+        {
+            if (!_mareDbContext.BannedRegistrations.Any(c => c.DiscordIdOrLodestoneAuth == lodestone.HashedLodestoneId))
+            {
+                _mareDbContext.BannedRegistrations.Add(new BannedRegistrations()
+                {
+                    DiscordIdOrLodestoneAuth = lodestone.HashedLodestoneId,
+                });
+            }
+            if (!_mareDbContext.BannedRegistrations.Any(c => c.DiscordIdOrLodestoneAuth == lodestone.DiscordId.ToString()))
+            {
+                _mareDbContext.BannedRegistrations.Add(new BannedRegistrations()
+                {
+                    DiscordIdOrLodestoneAuth = lodestone.DiscordId.ToString(),
+                });
+            }
+
+            await _mareDbContext.SaveChangesAsync();
+        }
+    }
+
+    private async Task<bool> IsIdentBanned(string uid, string charaIdent)
+    {
+        var isBanned = await _mareDbContext.BannedUsers.AsNoTracking().AnyAsync(u => u.CharacterIdentification == charaIdent).ConfigureAwait(false);
+        if (isBanned)
+        {
+            var authToBan = _mareDbContext.Auth.SingleOrDefault(a => a.UserUID == uid);
+            if (authToBan != null)
+            {
+                authToBan.IsBanned = true;
+                await _mareDbContext.SaveChangesAsync().ConfigureAwait(false);
+            }
+        }
+
+        return isBanned;
+    }
+}

MareSynchronosServer/MareSynchronosAuthService/MareSynchronosAuthService.csproj

@@ -0,0 +1,18 @@
+<Project Sdk="Microsoft.NET.Sdk.Web">
+
+  <PropertyGroup>
+    <TargetFramework>net8.0</TargetFramework>
+    <Nullable>enable</Nullable>
+    <ImplicitUsings>enable</ImplicitUsings>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <PackageReference Include="MaxMind.GeoIP2" Version="5.2.0" />
+    <PackageReference Include="Microsoft.Extensions.Hosting.Systemd" Version="8.0.0" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\MareSynchronosShared\MareSynchronosShared.csproj" />
+  </ItemGroup>
+
+</Project>

MareSynchronosServer/MareSynchronosAuthService/Program.cs

@@ -0,0 +1,41 @@
+namespace MareSynchronosAuthService;
+
+public class Program
+{
+    public static void Main(string[] args)
+    {
+        var hostBuilder = CreateHostBuilder(args);
+        using var host = hostBuilder.Build();
+        try
+        {
+            host.Run();
+        }
+        catch (Exception ex)
+        {
+            Console.WriteLine(ex);
+        }
+    }
+
+    public static IHostBuilder CreateHostBuilder(string[] args)
+    {
+        using var loggerFactory = LoggerFactory.Create(builder =>
+        {
+            builder.ClearProviders();
+            builder.AddConsole();
+        });
+        var logger = loggerFactory.CreateLogger<Startup>();
+        return Host.CreateDefaultBuilder(args)
+            .UseSystemd()
+            .UseConsoleLifetime()
+            .ConfigureWebHostDefaults(webBuilder =>
+            {
+                webBuilder.UseContentRoot(AppContext.BaseDirectory);
+                webBuilder.ConfigureLogging((ctx, builder) =>
+                {
+                    builder.AddConfiguration(ctx.Configuration.GetSection("Logging"));
+                    builder.AddFile(o => o.RootPath = AppContext.BaseDirectory);
+                });
+                webBuilder.UseStartup(ctx => new Startup(ctx.Configuration, logger));
+            });
+    }
+}

MareSynchronosServer/MareSynchronosAuthService/Properties/launchSettings.json

@@ -0,0 +1,29 @@
+{
+  "$schema": "http://json.schemastore.org/launchsettings.json",
+  "iisSettings": {
+    "windowsAuthentication": false,
+    "anonymousAuthentication": true,
+    "iisExpress": {
+      "applicationUrl": "http://localhost:37726",
+      "sslPort": 0
+    }
+  },
+  "profiles": {
+    "http": {
+      "commandName": "Project",
+      "dotnetRunMessages": true,
+      "launchBrowser": true,
+      "applicationUrl": "http://localhost:5056",
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    },
+    "IIS Express": {
+      "commandName": "IISExpress",
+      "launchBrowser": true,
+      "environmentVariables": {
+        "ASPNETCORE_ENVIRONMENT": "Development"
+      }
+    }
+  }
+}

MareSynchronosServer/MareSynchronosAuthService/Services/GeoIPService.cs

@@ -0,0 +1,138 @@
+using MareSynchronosShared;
+using MareSynchronosShared.Services;
+using MareSynchronosShared.Utils.Configuration;
+using MaxMind.GeoIP2;
+
+namespace MareSynchronosAuthService.Services;
+
+public class GeoIPService : IHostedService
+{
+    private readonly ILogger<GeoIPService> _logger;
+    private readonly IConfigurationService<AuthServiceConfiguration> _mareConfiguration;
+    private bool _useGeoIP = false;
+    private string _cityFile = string.Empty;
+    private DatabaseReader? _dbReader;
+    private DateTime _dbLastWriteTime = DateTime.Now;
+    private CancellationTokenSource _fileWriteTimeCheckCts = new();
+    private bool _processingReload = false;
+
+    public GeoIPService(ILogger<GeoIPService> logger,
+        IConfigurationService<AuthServiceConfiguration> mareConfiguration)
+    {
+        _logger = logger;
+        _mareConfiguration = mareConfiguration;
+    }
+
+    public async Task<string> GetCountryFromIP(IHttpContextAccessor httpContextAccessor)
+    {
+        if (!_useGeoIP)
+        {
+            return "*";
+        }
+
+        try
+        {
+            var ip = httpContextAccessor.GetIpAddress();
+
+            using CancellationTokenSource waitCts = new();
+            waitCts.CancelAfter(TimeSpan.FromSeconds(5));
+            while (_processingReload) await Task.Delay(100, waitCts.Token).ConfigureAwait(false);
+
+            if (_dbReader!.TryCity(ip, out var response))
+            {
+                string? continent = response?.Continent.Code;
+                if (!string.IsNullOrEmpty(continent) &&
+                    string.Equals(continent, "NA", StringComparison.Ordinal)
+                    && response?.Location.Longitude != null)
+                {
+                    if (response.Location.Longitude < -102)
+                    {
+                        continent = "NA-W";
+                    }
+                    else
+                    {
+                        continent = "NA-E";
+                    }
+                }
+
+                return continent ?? "*";
+            }
+
+            return "*";
+        }
+        catch (Exception ex)
+        {
+            _logger.LogWarning(ex, "Error handling Geo IP country in request");
+            return "*";
+        }
+    }
+
+    public Task StartAsync(CancellationToken cancellationToken)
+    {
+        _logger.LogInformation("GeoIP module starting update task");
+
+        var token = _fileWriteTimeCheckCts.Token;
+        _ = PeriodicReloadTask(token);
+
+        return Task.CompletedTask;
+    }
+
+    private async Task PeriodicReloadTask(CancellationToken token)
+    {
+        while (!token.IsCancellationRequested)
+        {
+            try
+            {
+                _processingReload = true;
+
+                var useGeoIP = _mareConfiguration.GetValueOrDefault(nameof(AuthServiceConfiguration.UseGeoIP), false);
+                var cityFile = _mareConfiguration.GetValueOrDefault(nameof(AuthServiceConfiguration.GeoIPDbCityFile), string.Empty);
+                var lastWriteTime = new FileInfo(cityFile).LastWriteTimeUtc;
+                if (useGeoIP && (!string.Equals(cityFile, _cityFile, StringComparison.OrdinalIgnoreCase) || lastWriteTime != _dbLastWriteTime))
+                {
+                    _cityFile = cityFile;
+                    if (!File.Exists(_cityFile)) throw new FileNotFoundException($"Could not open GeoIP City Database, path does not exist: {_cityFile}");
+                    _dbReader?.Dispose();
+                    _dbReader = null;
+                    _dbReader = new DatabaseReader(_cityFile);
+                    _dbLastWriteTime = lastWriteTime;
+
+                    _ = _dbReader.City("8.8.8.8").Continent;
+
+                    _logger.LogInformation($"Loaded GeoIP city file from {_cityFile}");
+
+                    if (_useGeoIP != useGeoIP)
+                    {
+                        _logger.LogInformation("GeoIP module is now enabled");
+                        _useGeoIP = useGeoIP;
+                    }
+                }
+
+                if (_useGeoIP != useGeoIP && !useGeoIP)
+                {
+                    _logger.LogInformation("GeoIP module is now disabled");
+                    _useGeoIP = useGeoIP;
+                }
+            }
+            catch (Exception e)
+            {
+                _logger.LogWarning(e, "Error during periodic GeoIP module reload task, disabling GeoIP");
+                _useGeoIP = false;
+            }
+            finally
+            {
+                _processingReload = false;
+            }
+
+            await Task.Delay(TimeSpan.FromMinutes(1)).ConfigureAwait(false);
+        }
+    }
+
+    public Task StopAsync(CancellationToken cancellationToken)
+    {
+        _fileWriteTimeCheckCts.Cancel();
+        _fileWriteTimeCheckCts.Dispose();
+        _dbReader?.Dispose();
+        return Task.CompletedTask;
+    }
+}

MareSynchronosServer/MareSynchronosAuthService/Services/SecretKeyAuthenticatorService.cs

@@ -0,0 +1,99 @@
+using System.Collections.Concurrent;
+using MareSynchronosAuthService.Authentication;
+using MareSynchronosShared.Data;
+using MareSynchronosShared.Metrics;
+using MareSynchronosShared.Services;
+using MareSynchronosShared.Utils.Configuration;
+using Microsoft.EntityFrameworkCore;
+
+namespace MareSynchronosAuthService.Services;
+
+public class SecretKeyAuthenticatorService
+{
+    private readonly MareMetrics _metrics;
+    private readonly IDbContextFactory<MareDbContext> _dbContextFactory;
+    private readonly IConfigurationService<AuthServiceConfiguration> _configurationService;
+    private readonly ILogger<SecretKeyAuthenticatorService> _logger;
+    private readonly ConcurrentDictionary<string, SecretKeyFailedAuthorization> _failedAuthorizations = new(StringComparer.Ordinal);
+
+    public SecretKeyAuthenticatorService(MareMetrics metrics, IDbContextFactory<MareDbContext> dbContextFactory,
+        IConfigurationService<AuthServiceConfiguration> configuration, ILogger<SecretKeyAuthenticatorService> logger)
+    {
+        _logger = logger;
+        _configurationService = configuration;
+        _metrics = metrics;
+        _dbContextFactory = dbContextFactory;
+    }
+
+    public async Task<SecretKeyAuthReply> AuthorizeAsync(string ip, string hashedSecretKey)
+    {
+        _metrics.IncCounter(MetricsAPI.CounterAuthenticationRequests);
+
+        if (_failedAuthorizations.TryGetValue(ip, out var existingFailedAuthorization)
+            && existingFailedAuthorization.FailedAttempts > _configurationService.GetValueOrDefault(nameof(AuthServiceConfiguration.FailedAuthForTempBan), 5))
+        {
+            if (existingFailedAuthorization.ResetTask == null)
+            {
+                _logger.LogWarning("TempBan {ip} for authorization spam", ip);
+
+                existingFailedAuthorization.ResetTask = Task.Run(async () =>
+                {
+                    await Task.Delay(TimeSpan.FromMinutes(_configurationService.GetValueOrDefault(nameof(AuthServiceConfiguration.TempBanDurationInMinutes), 5))).ConfigureAwait(false);
+
+                }).ContinueWith((t) =>
+                {
+                    _failedAuthorizations.Remove(ip, out _);
+                });
+            }
+            return new(Success: false, Uid: null, PrimaryUid: null, Alias: null, TempBan: true, Permaban: false);
+        }
+
+        using var context = await _dbContextFactory.CreateDbContextAsync().ConfigureAwait(false);
+        var authReply = await context.Auth.Include(a => a.User).AsNoTracking()
+            .SingleOrDefaultAsync(u => u.HashedKey == hashedSecretKey).ConfigureAwait(false);
+        var isBanned = authReply?.IsBanned ?? false;
+        var primaryUid = authReply?.PrimaryUserUID ?? authReply?.UserUID;
+
+        if (authReply?.PrimaryUserUID != null)
+        {
+            var primaryUser = await context.Auth.AsNoTracking().SingleOrDefaultAsync(u => u.UserUID == authReply.PrimaryUserUID).ConfigureAwait(false);
+            isBanned = isBanned || primaryUser.IsBanned;
+        }
+
+        SecretKeyAuthReply reply = new(authReply != null, authReply?.UserUID,
+            authReply?.PrimaryUserUID ?? authReply?.UserUID, authReply?.User?.Alias ?? string.Empty, TempBan: false, isBanned);
+
+        if (reply.Success)
+        {
+            _metrics.IncCounter(MetricsAPI.CounterAuthenticationSuccesses);
+            _metrics.IncGauge(MetricsAPI.GaugeAuthenticationCacheEntries);
+        }
+        else
+        {
+            return AuthenticationFailure(ip);
+        }
+
+        return reply;
+    }
+
+    private SecretKeyAuthReply AuthenticationFailure(string ip)
+    {
+        _metrics.IncCounter(MetricsAPI.CounterAuthenticationFailures);
+
+        _logger.LogWarning("Failed authorization from {ip}", ip);
+        var whitelisted = _configurationService.GetValueOrDefault(nameof(AuthServiceConfiguration.WhitelistedIps), new List<string>());
+        if (!whitelisted.Exists(w => ip.Contains(w, StringComparison.OrdinalIgnoreCase)))
+        {
+            if (_failedAuthorizations.TryGetValue(ip, out var auth))
+            {
+                auth.IncreaseFailedAttempts();
+            }
+            else
+            {
+                _failedAuthorizations[ip] = new SecretKeyFailedAuthorization();
+            }
+        }
+
+        return new(Success: false, Uid: null, PrimaryUid: null, Alias: null, TempBan: false, Permaban: false);
+    }
+}

MareSynchronosServer/MareSynchronosAuthService/Startup.cs

@@ -0,0 +1,226 @@
+using MareSynchronosAuthService.Controllers;
+using MareSynchronosShared.Metrics;
+using MareSynchronosShared.Services;
+using MareSynchronosShared.Utils;
+using Microsoft.AspNetCore.Mvc.Controllers;
+using StackExchange.Redis.Extensions.Core.Configuration;
+using StackExchange.Redis.Extensions.System.Text.Json;
+using StackExchange.Redis;
+using System.Net;
+using MareSynchronosAuthService.Services;
+using MareSynchronosShared.RequirementHandlers;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
+using Microsoft.IdentityModel.Tokens;
+using System.Text;
+using MareSynchronosShared.Data;
+using Microsoft.EntityFrameworkCore;
+using Prometheus;
+using MareSynchronosShared.Utils.Configuration;
+
+namespace MareSynchronosAuthService;
+
+public class Startup
+{
+    private readonly IConfiguration _configuration;
+    private ILogger<Startup> _logger;
+
+    public Startup(IConfiguration configuration, ILogger<Startup> logger)
+    {
+        _configuration = configuration;
+        _logger = logger;
+    }
+
+    public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILogger<Startup> logger)
+    {
+        var config = app.ApplicationServices.GetRequiredService<IConfigurationService<MareConfigurationBase>>();
+
+        app.UseRouting();
+
+        app.UseHttpMetrics();
+
+        app.UseAuthentication();
+        app.UseAuthorization();
+
+        KestrelMetricServer metricServer = new KestrelMetricServer(config.GetValueOrDefault<int>(nameof(MareConfigurationBase.MetricsPort), 4985));
+        metricServer.Start();
+
+        app.UseEndpoints(endpoints =>
+        {
+            endpoints.MapControllers();
+
+            foreach (var source in endpoints.DataSources.SelectMany(e => e.Endpoints).Cast<RouteEndpoint>())
+            {
+                if (source == null) continue;
+                _logger.LogInformation("Endpoint: {url} ", source.RoutePattern.RawText);
+            }
+        });
+    }
+
+    public void ConfigureServices(IServiceCollection services)
+    {
+        var mareConfig = _configuration.GetRequiredSection("MareSynchronos");
+
+        ConfigureRedis(services, mareConfig);
+
+        services.AddSingleton<SecretKeyAuthenticatorService>();
+        services.AddSingleton<GeoIPService>();
+
+        services.AddHostedService(provider => provider.GetRequiredService<GeoIPService>());
+
+        services.Configure<AuthServiceConfiguration>(_configuration.GetRequiredSection("MareSynchronos"));
+        services.Configure<MareConfigurationBase>(_configuration.GetRequiredSection("MareSynchronos"));
+
+        services.AddSingleton<ServerTokenGenerator>();
+
+        ConfigureAuthorization(services);
+
+        ConfigureDatabase(services, mareConfig);
+
+        ConfigureConfigServices(services);
+
+        services.AddHealthChecks();
+        services.AddControllers().ConfigureApplicationPartManager(a =>
+        {
+            a.FeatureProviders.Remove(a.FeatureProviders.OfType<ControllerFeatureProvider>().First());
+            a.FeatureProviders.Add(new AllowedControllersFeatureProvider(typeof(JwtController)));
+        });
+    }
+
+    private static void ConfigureAuthorization(IServiceCollection services)
+    {
+        services.AddTransient<IAuthorizationHandler, UserRequirementHandler>();
+        services.AddTransient<IAuthorizationHandler, ValidTokenRequirementHandler>();
+
+        services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
+            .Configure<IConfigurationService<MareConfigurationBase>>((options, config) =>
+            {
+                options.TokenValidationParameters = new()
+                {
+                    ValidateIssuer = false,
+                    ValidateLifetime = true,
+                    ValidateAudience = false,
+                    ValidateIssuerSigningKey = true,
+                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(config.GetValue<string>(nameof(MareConfigurationBase.Jwt)))),
+                };
+            });
+
+        services.AddAuthentication(o =>
+        {
+            o.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
+            o.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
+            o.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
+        }).AddJwtBearer();
+
+        services.AddAuthorization(options =>
+        {
+            options.DefaultPolicy = new AuthorizationPolicyBuilder()
+                .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme)
+                .RequireAuthenticatedUser().Build();
+            options.AddPolicy("Authenticated", policy =>
+            {
+                policy.AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme);
+                policy.RequireAuthenticatedUser();
+                policy.AddRequirements(new ValidTokenRequirement());
+            });
+            options.AddPolicy("Identified", policy =>
+            {
+                policy.AddRequirements(new UserRequirement(UserRequirements.Identified));
+                policy.AddRequirements(new ValidTokenRequirement());
+
+            });
+            options.AddPolicy("Admin", policy =>
+            {
+                policy.AddRequirements(new UserRequirement(UserRequirements.Identified | UserRequirements.Administrator));
+                policy.AddRequirements(new ValidTokenRequirement());
+
+            });
+            options.AddPolicy("Moderator", policy =>
+            {
+                policy.AddRequirements(new UserRequirement(UserRequirements.Identified | UserRequirements.Moderator | UserRequirements.Administrator));
+                policy.AddRequirements(new ValidTokenRequirement());
+            });
+            options.AddPolicy("Internal", new AuthorizationPolicyBuilder().RequireClaim(MareClaimTypes.Internal, "true").Build());
+        });
+    }
+
+    private static void ConfigureMetrics(IServiceCollection services)
+    {
+        services.AddSingleton<MareMetrics>(m => new MareMetrics(m.GetService<ILogger<MareMetrics>>(), new List<string>
+        {
+            MetricsAPI.CounterAuthenticationCacheHits,
+            MetricsAPI.CounterAuthenticationFailures,
+            MetricsAPI.CounterAuthenticationRequests,
+            MetricsAPI.CounterAuthenticationSuccesses,
+        }, new List<string>
+        {
+            MetricsAPI.GaugeAuthenticationCacheEntries,
+        }));
+    }
+
+    private static void ConfigureRedis(IServiceCollection services, IConfigurationSection mareConfig)
+    {
+        // configure redis for SignalR
+        var redisConnection = mareConfig.GetValue(nameof(ServerConfiguration.RedisConnectionString), string.Empty);
+
+        var options = ConfigurationOptions.Parse(redisConnection);
+
+        var endpoint = options.EndPoints[0];
+        string address = "";
+        int port = 0;
+        if (endpoint is DnsEndPoint dnsEndPoint) { address = dnsEndPoint.Host; port = dnsEndPoint.Port; }
+        if (endpoint is IPEndPoint ipEndPoint) { address = ipEndPoint.Address.ToString(); port = ipEndPoint.Port; }
+        var redisConfiguration = new RedisConfiguration()
+        {
+            AbortOnConnectFail = true,
+            KeyPrefix = "",
+            Hosts = new RedisHost[]
+            {
+                new RedisHost(){ Host = address, Port = port },
+            },
+            AllowAdmin = true,
+            ConnectTimeout = options.ConnectTimeout,
+            Database = 0,
+            Ssl = false,
+            Password = options.Password,
+            ServerEnumerationStrategy = new ServerEnumerationStrategy()
+            {
+                Mode = ServerEnumerationStrategy.ModeOptions.All,
+                TargetRole = ServerEnumerationStrategy.TargetRoleOptions.Any,
+                UnreachableServerAction = ServerEnumerationStrategy.UnreachableServerActionOptions.Throw,
+            },
+            MaxValueLength = 1024,
+            PoolSize = mareConfig.GetValue(nameof(ServerConfiguration.RedisPool), 50),
+            SyncTimeout = options.SyncTimeout,
+        };
+
+        services.AddStackExchangeRedisExtensions<SystemTextJsonSerializer>(redisConfiguration);
+    }
+    private void ConfigureConfigServices(IServiceCollection services)
+    {
+        services.AddSingleton<IConfigurationService<AuthServiceConfiguration>, MareConfigurationServiceServer<AuthServiceConfiguration>>();
+        services.AddSingleton<IConfigurationService<MareConfigurationBase>, MareConfigurationServiceServer<MareConfigurationBase>>();
+    }
+
+    private void ConfigureDatabase(IServiceCollection services, IConfigurationSection mareConfig)
+    {
+        services.AddDbContextPool<MareDbContext>(options =>
+        {
+            options.UseNpgsql(_configuration.GetConnectionString("DefaultConnection"), builder =>
+            {
+                builder.MigrationsHistoryTable("_efmigrationshistory", "public");
+                builder.MigrationsAssembly("MareSynchronosShared");
+            }).UseSnakeCaseNamingConvention();
+            options.EnableThreadSafetyChecks(false);
+        }, mareConfig.GetValue(nameof(MareConfigurationBase.DbContextPoolSize), 1024));
+        services.AddDbContextFactory<MareDbContext>(options =>
+        {
+            options.UseNpgsql(_configuration.GetConnectionString("DefaultConnection"), builder =>
+            {
+                builder.MigrationsHistoryTable("_efmigrationshistory", "public");
+                builder.MigrationsAssembly("MareSynchronosShared");
+            }).UseSnakeCaseNamingConvention();
+            options.EnableThreadSafetyChecks(false);
+        });
+    }
+}

MareSynchronosServer/MareSynchronosAuthService/appsettings.Development.json

@@ -0,0 +1,8 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  }
+}

MareSynchronosServer/MareSynchronosAuthService/appsettings.json

@@ -0,0 +1,9 @@
+{
+  "Logging": {
+    "LogLevel": {
+      "Default": "Information",
+      "Microsoft.AspNetCore": "Warning"
+    }
+  },
+  "AllowedHosts": "*"
+}