michael.heier/jellyfin
1
0
Fork 0
Code Issues Pull Requests Actions 2 Packages Projects Releases Wiki Activity

Allow apikey to authenticate as admin

Browse Source
This commit is contained in:
crobibero 2020-10-14 17:58:33 -06:00
parent 8ffa14e6d3
commit 39924f9992
4 changed files with 77 additions and 73 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Emby.Server.Implementations/HttpServer/Security/AuthService.cs
View File

@ -19,12 +19,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
public AuthorizationInfo Authenticate(HttpRequest request) public AuthorizationInfo Authenticate(HttpRequest request)
{ {
var auth = _authorizationContext.GetAuthorizationInfo(request); var auth = _authorizationContext.GetAuthorizationInfo(request);
if (auth?.User == null) if (auth.User?.HasPermission(PermissionKind.IsDisabled) ?? false)
{
return null;
}
if (auth.User.HasPermission(PermissionKind.IsDisabled))
{ {
throw new SecurityException("User account has been disabled."); throw new SecurityException("User account has been disabled.");
} }

120
Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
View File

@ -111,81 +111,83 @@ namespace Emby.Server.Implementations.HttpServer.Security
Token = token Token = token
}; };
AuthenticationInfo originalAuthenticationInfo = null; if (string.IsNullOrWhiteSpace(token))
if (!string.IsNullOrWhiteSpace(token))
{ {
var result = _authRepo.Get(new AuthenticationInfoQuery // Request doesn't contain a token.
throw new SecurityException("Unauthorized.");
}
var result = _authRepo.Get(new AuthenticationInfoQuery
{
AccessToken = token
});
var originalAuthenticationInfo = result.Items.Count > 0 ? result.Items[0] : null;
if (originalAuthenticationInfo != null)
{
var updateToken = false;
// TODO: Remove these checks for IsNullOrWhiteSpace
if (string.IsNullOrWhiteSpace(authInfo.Client))
{ {
AccessToken = token authInfo.Client = originalAuthenticationInfo.AppName;
}); }
originalAuthenticationInfo = result.Items.Count > 0 ? result.Items[0] : null; if (string.IsNullOrWhiteSpace(authInfo.DeviceId))
if (originalAuthenticationInfo != null)
{ {
var updateToken = false; authInfo.DeviceId = originalAuthenticationInfo.DeviceId;
}
// TODO: Remove these checks for IsNullOrWhiteSpace // Temporary. TODO - allow clients to specify that the token has been shared with a casting device
if (string.IsNullOrWhiteSpace(authInfo.Client)) var allowTokenInfoUpdate = authInfo.Client == null || authInfo.Client.IndexOf("chromecast", StringComparison.OrdinalIgnoreCase) == -1;
{
authInfo.Client = originalAuthenticationInfo.AppName;
}
if (string.IsNullOrWhiteSpace(authInfo.DeviceId)) if (string.IsNullOrWhiteSpace(authInfo.Device))
{
authInfo.Device = originalAuthenticationInfo.DeviceName;
}
else if (!string.Equals(authInfo.Device, originalAuthenticationInfo.DeviceName, StringComparison.OrdinalIgnoreCase))
{
if (allowTokenInfoUpdate)
{ {
authInfo.DeviceId = originalAuthenticationInfo.DeviceId; updateToken = true;
originalAuthenticationInfo.DeviceName = authInfo.Device;
} }
}
// Temporary. TODO - allow clients to specify that the token has been shared with a casting device if (string.IsNullOrWhiteSpace(authInfo.Version))
var allowTokenInfoUpdate = authInfo.Client == null || authInfo.Client.IndexOf("chromecast", StringComparison.OrdinalIgnoreCase) == -1; {
authInfo.Version = originalAuthenticationInfo.AppVersion;
}
else if (!string.Equals(authInfo.Version, originalAuthenticationInfo.AppVersion, StringComparison.OrdinalIgnoreCase))
{
if (allowTokenInfoUpdate)
{
updateToken = true;
originalAuthenticationInfo.AppVersion = authInfo.Version;
}
}
if (string.IsNullOrWhiteSpace(authInfo.Device)) if ((DateTime.UtcNow - originalAuthenticationInfo.DateLastActivity).TotalMinutes > 3)
{ {
authInfo.Device = originalAuthenticationInfo.DeviceName; originalAuthenticationInfo.DateLastActivity = DateTime.UtcNow;
} updateToken = true;
else if (!string.Equals(authInfo.Device, originalAuthenticationInfo.DeviceName, StringComparison.OrdinalIgnoreCase)) }
{
if (allowTokenInfoUpdate)
{
updateToken = true;
originalAuthenticationInfo.DeviceName = authInfo.Device;
}
}
if (string.IsNullOrWhiteSpace(authInfo.Version)) if (!originalAuthenticationInfo.UserId.Equals(Guid.Empty))
{ {
authInfo.Version = originalAuthenticationInfo.AppVersion; authInfo.User = _userManager.GetUserById(originalAuthenticationInfo.UserId);
}
else if (!string.Equals(authInfo.Version, originalAuthenticationInfo.AppVersion, StringComparison.OrdinalIgnoreCase))
{
if (allowTokenInfoUpdate)
{
updateToken = true;
originalAuthenticationInfo.AppVersion = authInfo.Version;
}
}
if ((DateTime.UtcNow - originalAuthenticationInfo.DateLastActivity).TotalMinutes > 3) if (authInfo.User != null && !string.Equals(authInfo.User.Username, originalAuthenticationInfo.UserName, StringComparison.OrdinalIgnoreCase))
{ {
originalAuthenticationInfo.DateLastActivity = DateTime.UtcNow; originalAuthenticationInfo.UserName = authInfo.User.Username;
updateToken = true; updateToken = true;
} }
}
if (!originalAuthenticationInfo.UserId.Equals(Guid.Empty)) if (updateToken)
{ {
authInfo.User = _userManager.GetUserById(originalAuthenticationInfo.UserId); _authRepo.Update(originalAuthenticationInfo);
if (authInfo.User != null && !string.Equals(authInfo.User.Username, originalAuthenticationInfo.UserName, StringComparison.OrdinalIgnoreCase))
{
originalAuthenticationInfo.UserName = authInfo.User.Username;
updateToken = true;
}
}
if (updateToken)
{
_authRepo.Update(originalAuthenticationInfo);
}
} }
} }

9
Jellyfin.Api/Auth/BaseAuthorizationHandler.cs
View File

@ -1,4 +1,5 @@
using System.Security.Claims; using System;
using System.Security.Claims;
using Jellyfin.Api.Helpers; using Jellyfin.Api.Helpers;
using Jellyfin.Data.Enums; using Jellyfin.Data.Enums;
using MediaBrowser.Common.Extensions; using MediaBrowser.Common.Extensions;
@ -57,6 +58,12 @@ namespace Jellyfin.Api.Auth
return false; return false;
} }
// UserId of Guid.Empty means token is an apikey.
if (userId.Equals(Guid.Empty))
{
return true;
}
// Ensure userId links to a valid user. // Ensure userId links to a valid user.
var user = _userManager.GetUserById(userId.Value); var user = _userManager.GetUserById(userId.Value);
if (user == null) if (user == null)

14
Jellyfin.Api/Auth/CustomAuthenticationHandler.cs
View File

@ -1,3 +1,4 @@
using System;
using System.Globalization; using System.Globalization;
using System.Security.Authentication; using System.Security.Authentication;
using System.Security.Claims; using System.Security.Claims;
@ -43,18 +44,17 @@ namespace Jellyfin.Api.Auth
try try
{ {
var authorizationInfo = _authService.Authenticate(Request); var authorizationInfo = _authService.Authenticate(Request);
if (authorizationInfo == null) var role = UserRoles.User;
// UserId of Guid.Empty means token is an apikey.
if (authorizationInfo.UserId.Equals(Guid.Empty) || authorizationInfo.User.HasPermission(PermissionKind.IsAdministrator))
{ {
return Task.FromResult(AuthenticateResult.NoResult()); role = UserRoles.Administrator;
// TODO return when legacy API is removed.
// Don't spam the log with "Invalid User"
// return Task.FromResult(AuthenticateResult.Fail("Invalid user"));
} }
var claims = new[] var claims = new[]
{ {
new Claim(ClaimTypes.Name, authorizationInfo.User.Username), new Claim(ClaimTypes.Name, authorizationInfo.User?.Username ?? string.Empty),
new Claim(ClaimTypes.Role, authorizationInfo.User.HasPermission(PermissionKind.IsAdministrator) ? UserRoles.Administrator : UserRoles.User), new Claim(ClaimTypes.Role, role),
new Claim(InternalClaimTypes.UserId, authorizationInfo.UserId.ToString("N", CultureInfo.InvariantCulture)), new Claim(InternalClaimTypes.UserId, authorizationInfo.UserId.ToString("N", CultureInfo.InvariantCulture)),
new Claim(InternalClaimTypes.DeviceId, authorizationInfo.DeviceId), new Claim(InternalClaimTypes.DeviceId, authorizationInfo.DeviceId),
new Claim(InternalClaimTypes.Device, authorizationInfo.Device), new Claim(InternalClaimTypes.Device, authorizationInfo.Device),