| | | 1 | | using System.Security.Claims; |
| | | 2 | | using System.Text; |
| | | 3 | | using Kestrun.Claims; |
| | | 4 | | using Kestrun.Hosting; |
| | | 5 | | using Microsoft.AspNetCore.Authentication; |
| | | 6 | | using Microsoft.OpenApi; |
| | | 7 | | |
| | | 8 | | namespace Kestrun.Authentication; |
| | | 9 | | |
| | | 10 | | /// <summary> |
| | | 11 | | /// Options for API key authentication, including header names, validation, and claims issuance. |
| | | 12 | | /// </summary> |
| | 39 | 13 | | public class ApiKeyAuthenticationOptions() : AuthenticationSchemeOptions, IAuthenticationCommonOptions, IAuthenticationH |
| | | 14 | | { |
| | | 15 | | /// <inheritdoc/> |
| | 0 | 16 | | public string? DisplayName { get; set; } |
| | | 17 | | /// <inheritdoc/> |
| | 20 | 18 | | public bool GlobalScheme { get; set; } |
| | | 19 | | |
| | | 20 | | /// <inheritdoc/> |
| | 20 | 21 | | public string? Description { get; set; } |
| | | 22 | | |
| | | 23 | | /// <inheritdoc/> |
| | 77 | 24 | | public string[] DocumentationId { get; set; } = []; |
| | | 25 | | |
| | | 26 | | /// <inheritdoc/> |
| | 136 | 27 | | public KestrunHost Host { get; set; } = default!; |
| | | 28 | | |
| | | 29 | | private Serilog.ILogger? _logger; |
| | | 30 | | /// <inheritdoc/> |
| | | 31 | | public Serilog.ILogger Logger |
| | | 32 | | { |
| | 50 | 33 | | get => _logger ?? (Host is null ? Serilog.Log.Logger : Host.Logger); set => _logger = value; |
| | | 34 | | } |
| | | 35 | | /// <summary> |
| | | 36 | | /// Name of to look for the API key. |
| | | 37 | | /// </summary> |
| | 95 | 38 | | public string ApiKeyName { get; set; } = "X-Api-Key"; |
| | | 39 | | |
| | | 40 | | /// <summary> |
| | | 41 | | /// Location to look for the API key. |
| | | 42 | | /// </summary> |
| | 65 | 43 | | public ParameterLocation In { get; set; } = ParameterLocation.Header; |
| | | 44 | | |
| | | 45 | | /// <summary> |
| | | 46 | | /// Other headers to try if the primary one is missing. |
| | | 47 | | /// <para>Defaults to empty.</para> |
| | | 48 | | /// <para>Use this to support multiple header names for the API key.</para> |
| | | 49 | | /// </summary> |
| | 69 | 50 | | public string[] AdditionalHeaderNames { get; set; } = []; |
| | | 51 | | |
| | | 52 | | /// <summary> |
| | | 53 | | /// If true, also look for the key in the query string. |
| | | 54 | | /// <para>Defaults to false.</para> |
| | | 55 | | /// <para>Note: this is less secure, as query strings can be logged.</para> |
| | | 56 | | /// <para>Use with caution.</para> |
| | | 57 | | /// </summary> |
| | 31 | 58 | | public bool AllowQueryStringFallback { get; set; } |
| | | 59 | | |
| | | 60 | | /// <summary> |
| | | 61 | | /// Single expected API key (used if ValidateKey is not set). |
| | | 62 | | /// <para>Defaults to null.</para> |
| | | 63 | | /// <para>Use this for simple scenarios where you have a known key.</para> |
| | | 64 | | /// </summary> |
| | 69 | 65 | | public string? StaticApiKey { get; set; } |
| | | 66 | | |
| | | 67 | | /// <summary> |
| | | 68 | | /// Gets the expected API key as a UTF-8 byte array, or null if <see cref="StaticApiKey"/> is not set. |
| | | 69 | | /// </summary> |
| | 20 | 70 | | public byte[]? StaticApiKeyAsBytes => StaticApiKey is not null ? Encoding.UTF8.GetBytes(StaticApiKey) : null; |
| | | 71 | | |
| | | 72 | | /// <summary> |
| | | 73 | | /// If true, allows API key authentication over insecure HTTP connections. |
| | | 74 | | /// </summary> |
| | 40 | 75 | | public bool AllowInsecureHttp { get; set; } |
| | | 76 | | |
| | | 77 | | /// <summary> |
| | | 78 | | /// If true, includes the <c>WWW-Authenticate</c> header in 401 responses. |
| | | 79 | | /// <para>Default: <c>true</c>.</para> |
| | | 80 | | /// <para>Set to <c>false</c> to suppress automatic hints to clients.</para> |
| | | 81 | | /// </summary> |
| | 68 | 82 | | public bool EmitChallengeHeader { get; set; } = true; |
| | | 83 | | |
| | | 84 | | /// <summary> |
| | | 85 | | /// Format for the <c>WWW-Authenticate</c> header in 401 responses. |
| | | 86 | | /// <para> |
| | | 87 | | /// If set to <c>ApiKeyHeader</c>, emits <c>ApiKey header="X-Api-Key"</c>. |
| | | 88 | | /// If set to <c>HeaderOnly</c>, emits just the header name. |
| | | 89 | | /// </para> |
| | | 90 | | /// </summary> |
| | 22 | 91 | | public ApiKeyChallengeFormat ChallengeHeaderFormat { get; set; } = ApiKeyChallengeFormat.ApiKeyHeader; |
| | | 92 | | |
| | | 93 | | /// <summary> |
| | | 94 | | /// Called to validate the raw key string. Return true if valid. |
| | | 95 | | /// <para>This is called for every request, so it should be fast.</para> |
| | | 96 | | /// </summary> |
| | 64 | 97 | | public Func<HttpContext, string, byte[], Task<bool>> ValidateKeyAsync { get; set; } = (_, _, _) => Task.FromResult(f |
| | | 98 | | |
| | | 99 | | /// <summary> |
| | | 100 | | /// Settings for the authentication code, if using a script. |
| | | 101 | | /// </summary> |
| | | 102 | | /// <remarks> |
| | | 103 | | /// This allows you to specify the language, code, and additional imports/refs. |
| | | 104 | | /// </remarks> |
| | 63 | 105 | | public AuthenticationCodeSettings ValidateCodeSettings { get; set; } = new(); |
| | | 106 | | |
| | | 107 | | /// <summary> |
| | | 108 | | /// After credentials are valid, this is called to add extra Claims. |
| | | 109 | | /// Parameters: HttpContext, username → IEnumerable of extra claims. |
| | | 110 | | /// </summary> |
| | 28 | 111 | | public Func<HttpContext, string, Task<IEnumerable<Claim>>>? IssueClaims { get; set; } |
| | | 112 | | |
| | | 113 | | /// <summary> |
| | | 114 | | /// Settings for the claims issuing code, if using a script. |
| | | 115 | | /// </summary> |
| | | 116 | | /// <remarks> |
| | | 117 | | /// This allows you to specify the language, code, and additional imports/refs for claims issuance. |
| | | 118 | | /// </remarks> |
| | 63 | 119 | | public AuthenticationCodeSettings IssueClaimsCodeSettings { get; set; } = new(); |
| | | 120 | | |
| | | 121 | | /// <summary> |
| | | 122 | | /// Gets or sets the claim policy configuration. |
| | | 123 | | /// </summary> |
| | | 124 | | /// <remarks> |
| | | 125 | | /// This allows you to define multiple authorization policies based on claims. |
| | | 126 | | /// Each policy can specify a claim type and allowed values. |
| | | 127 | | /// </remarks> |
| | 21 | 128 | | public ClaimPolicyConfig? ClaimPolicyConfig { get; set; } |
| | | 129 | | |
| | | 130 | | /// <summary> |
| | | 131 | | /// Helper to copy values from a user-supplied ApiKeyAuthenticationOptions instance to the instance |
| | | 132 | | /// created by the framework inside AddApiKey(). Reassigning the local variable (opts = source) would |
| | | 133 | | /// not work because only the local reference changes – the framework keeps the original instance |
| | | 134 | | /// </summary> |
| | | 135 | | /// <param name="target">The target instance to which values will be copied. </param> |
| | | 136 | | public void ApplyTo(ApiKeyAuthenticationOptions target) |
| | | 137 | | { |
| | | 138 | | // Copy base AuthenticationSchemeOptions properties |
| | 7 | 139 | | target.ClaimsIssuer = ClaimsIssuer; |
| | 7 | 140 | | target.EventsType = EventsType; |
| | 7 | 141 | | target.Events = Events; |
| | 7 | 142 | | target.ApiKeyName = ApiKeyName; |
| | 7 | 143 | | target.In = In; |
| | 7 | 144 | | target.AdditionalHeaderNames = AdditionalHeaderNames; |
| | 7 | 145 | | target.AllowQueryStringFallback = AllowQueryStringFallback; |
| | 7 | 146 | | target.StaticApiKey = StaticApiKey; |
| | 7 | 147 | | target.AllowInsecureHttp = AllowInsecureHttp; |
| | 7 | 148 | | target.EmitChallengeHeader = EmitChallengeHeader; |
| | 7 | 149 | | target.ChallengeHeaderFormat = ChallengeHeaderFormat; |
| | 7 | 150 | | target.ValidateKeyAsync = ValidateKeyAsync; |
| | 7 | 151 | | target.ValidateCodeSettings = ValidateCodeSettings; |
| | 7 | 152 | | target.IssueClaims = IssueClaims; |
| | 7 | 153 | | target.IssueClaimsCodeSettings = IssueClaimsCodeSettings; |
| | 7 | 154 | | target.ClaimPolicyConfig = ClaimPolicyConfig; |
| | | 155 | | |
| | | 156 | | // Copy IAuthenticationHostOptions properties |
| | 7 | 157 | | target.Host = Host; |
| | | 158 | | // OpenAPI / documentation properties(IOpenApiAuthenticationOptions) |
| | 7 | 159 | | target.GlobalScheme = GlobalScheme; |
| | 7 | 160 | | target.Description = Description; |
| | 7 | 161 | | target.DocumentationId = DocumentationId; |
| | 7 | 162 | | } |
| | | 163 | | } |