You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
146 lines
5.0 KiB
146 lines
5.0 KiB
using Microsoft.AspNetCore.DataProtection;
|
|
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
|
|
using Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.ConfigurationModel;
|
|
using Microsoft.AspNetCore.Identity;
|
|
using Microsoft.EntityFrameworkCore;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
using Microsoft.OpenApi.Models;
|
|
using OAuthServer;
|
|
using OAuthServer.Services;
|
|
|
|
var builder = WebApplication.CreateBuilder(args);
|
|
|
|
// Add logging to console
|
|
builder.Logging.AddConsole();
|
|
|
|
// Add services to the container.
|
|
builder.Services.AddControllers();
|
|
builder.Services.AddEndpointsApiExplorer();
|
|
builder.Services.AddSwaggerGen(options => {
|
|
// Create a authentication schema for JWT tokens
|
|
options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme {
|
|
Description = "JWT Authorization header using the Bearer scheme. Example: \"Authorization: Bearer {token}\"",
|
|
Name = "Authorization",
|
|
In = ParameterLocation.Header,
|
|
Type = SecuritySchemeType.Http,
|
|
Scheme = "bearer",
|
|
Reference = new OpenApiReference {
|
|
Type = ReferenceType.SecurityScheme,
|
|
Id = "Bearer"
|
|
}
|
|
});
|
|
options.AddSecurityRequirement(new OpenApiSecurityRequirement {
|
|
{
|
|
new OpenApiSecurityScheme {
|
|
Reference = new OpenApiReference {
|
|
Type = ReferenceType.SecurityScheme,
|
|
Id = "Bearer"
|
|
}
|
|
},
|
|
new string[] { }
|
|
}
|
|
});
|
|
});
|
|
|
|
builder.Services.AddDbContext<AppDbContext>(options => { options.UseSqlite("DataSource=db.sqlite3"); });
|
|
|
|
builder.Services.AddIdentity<IdentityUser, IdentityRole>(options => { options.Stores.MaxLengthForKeys = 128; })
|
|
.AddEntityFrameworkStores<AppDbContext>()
|
|
.AddDefaultTokenProviders();
|
|
|
|
// Load the signing key from a file if it exists or create a new one
|
|
var rsaKey = JwtService.GetSigningKey();
|
|
|
|
// Add the JWT authentication method
|
|
builder.Services.AddAuthentication().AddJwtBearer("OAuthToken", options => {
|
|
options.SaveToken = false;
|
|
options.TokenValidationParameters = new TokenValidationParameters() {
|
|
ValidateIssuer = false,
|
|
ValidateAudience = false,
|
|
RequireSignedTokens = true,
|
|
IssuerSigningKey = new RsaSecurityKey(rsaKey)
|
|
};
|
|
});
|
|
|
|
builder.Services.Configure<IdentityOptions>(options => {
|
|
// SignIn settings.
|
|
options.SignIn.RequireConfirmedAccount = false;
|
|
options.SignIn.RequireConfirmedEmail = false;
|
|
options.SignIn.RequireConfirmedPhoneNumber = false;
|
|
|
|
// Lockout settings.
|
|
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(5);
|
|
options.Lockout.MaxFailedAccessAttempts = 5;
|
|
options.Lockout.AllowedForNewUsers = true;
|
|
|
|
// Password settings.
|
|
options.Password.RequireDigit = false;
|
|
options.Password.RequireLowercase = false;
|
|
options.Password.RequireNonAlphanumeric = false;
|
|
options.Password.RequireUppercase = false;
|
|
options.Password.RequiredLength = 1;
|
|
options.Password.RequiredUniqueChars = 1;
|
|
});
|
|
|
|
builder.Services.ConfigureApplicationCookie(options => {
|
|
// Cookie options
|
|
options.Cookie.Name = "AuthCookie";
|
|
options.Cookie.HttpOnly = true;
|
|
|
|
options.ExpireTimeSpan = TimeSpan.FromHours(24);
|
|
options.SlidingExpiration = true;
|
|
|
|
options.LoginPath = "/login";
|
|
options.LogoutPath = "/logout";
|
|
});
|
|
|
|
// Force Identity's security stamp to be validated every minute.
|
|
builder.Services.Configure<SecurityStampValidatorOptions>(options => {
|
|
options.ValidationInterval = TimeSpan.FromMinutes(10);
|
|
});
|
|
|
|
// Set a more secure password hashing iteration count
|
|
builder.Services.Configure<PasswordHasherOptions>(option => { option.IterationCount = 100_000; });
|
|
|
|
builder.Services.AddDataProtection().UseCryptographicAlgorithms(new AuthenticatedEncryptorConfiguration() {
|
|
EncryptionAlgorithm = EncryptionAlgorithm.AES_256_CBC,
|
|
ValidationAlgorithm = ValidationAlgorithm.HMACSHA256
|
|
});
|
|
|
|
// Add policy-based authorization
|
|
builder.Services.AddAuthorization(options => {
|
|
// Require either role to authenticate as Contestant
|
|
options.AddPolicy("User", policy => policy
|
|
.RequireRole("User")
|
|
.AddAuthenticationSchemes(IdentityConstants.ApplicationScheme)
|
|
);
|
|
|
|
// Require the External role to authenticate with a different authentication method
|
|
options.AddPolicy("External", policy => policy
|
|
.RequireRole("External")
|
|
.AddAuthenticationSchemes("OAuthToken")
|
|
);
|
|
});
|
|
|
|
builder.Services.AddSingleton<JwtService>();
|
|
|
|
var app = builder.Build();
|
|
|
|
// Configure the HTTP request pipeline.
|
|
if (app.Environment.IsDevelopment()) {
|
|
app.UseSwagger();
|
|
app.UseSwaggerUI();
|
|
}
|
|
|
|
app.MapControllers();
|
|
|
|
// Automatically apply migrations to database on startup
|
|
var scopeFactory = app.Services.GetRequiredService<IServiceScopeFactory>();
|
|
using (var scope = scopeFactory.CreateScope()) {
|
|
using (var databaseContext = scope.ServiceProvider.GetRequiredService<AppDbContext>()) {
|
|
// Migrate the database
|
|
databaseContext.Database.Migrate();
|
|
}
|
|
}
|
|
|
|
app.Run(); |