| | | 1 | | using System.Security.Claims; |
| | | 2 | | using System.Text; |
| | | 3 | | using Kestrun.Claims; |
| | | 4 | | using Microsoft.AspNetCore.Authentication; |
| | | 5 | | |
| | | 6 | | namespace Kestrun.Authentication; |
| | | 7 | | |
| | | 8 | | /// <summary> |
| | | 9 | | /// Options for API key authentication, including header names, validation, and claims issuance. |
| | | 10 | | /// </summary> |
| | | 11 | | public class ApiKeyAuthenticationOptions : AuthenticationSchemeOptions, IAuthenticationCommonOptions |
| | | 12 | | { |
| | | 13 | | /// <summary> |
| | | 14 | | /// Name of the header to look for the API key. |
| | | 15 | | /// </summary> |
| | 65 | 16 | | public string HeaderName { get; set; } = "X-Api-Key"; |
| | | 17 | | |
| | | 18 | | /// <summary> |
| | | 19 | | /// Other headers to try if the primary one is missing. |
| | | 20 | | /// <para>Defaults to empty.</para> |
| | | 21 | | /// <para>Use this to support multiple header names for the API key.</para> |
| | | 22 | | /// </summary> |
| | 51 | 23 | | public string[] AdditionalHeaderNames { get; set; } = []; |
| | | 24 | | |
| | | 25 | | /// <summary> |
| | | 26 | | /// If true, also look for the key in the query string. |
| | | 27 | | /// <para>Defaults to false.</para> |
| | | 28 | | /// <para>Note: this is less secure, as query strings can be logged.</para> |
| | | 29 | | /// <para>Use with caution.</para> |
| | | 30 | | /// </summary> |
| | 19 | 31 | | public bool AllowQueryStringFallback { get; set; } |
| | | 32 | | |
| | | 33 | | /// <summary> |
| | | 34 | | /// Single expected API key (used if ValidateKey is not set). |
| | | 35 | | /// <para>Defaults to null.</para> |
| | | 36 | | /// <para>Use this for simple scenarios where you have a known key.</para> |
| | | 37 | | /// </summary> |
| | 57 | 38 | | public string? ExpectedKey { get; set; } |
| | | 39 | | |
| | | 40 | | /// <summary> |
| | | 41 | | /// Gets the expected API key as a UTF-8 byte array, or null if <see cref="ExpectedKey"/> is not set. |
| | | 42 | | /// </summary> |
| | 20 | 43 | | public byte[]? ExpectedKeyBytes => ExpectedKey is not null ? Encoding.UTF8.GetBytes(ExpectedKey) : null; |
| | | 44 | | |
| | | 45 | | /// <summary> |
| | | 46 | | /// Logger for this authentication scheme. |
| | | 47 | | /// <para>Defaults to Serilog's global logger.</para> |
| | | 48 | | /// </summary> |
| | 127 | 49 | | public Serilog.ILogger Logger { get; set; } = Serilog.Log.ForContext<ApiKeyAuthenticationOptions>(); |
| | | 50 | | |
| | | 51 | | /// <summary> |
| | | 52 | | /// If true, requires HTTPS for API key requests. |
| | | 53 | | /// </summary> |
| | 61 | 54 | | public bool RequireHttps { get; set; } = true; |
| | | 55 | | |
| | | 56 | | /// <summary> |
| | | 57 | | /// If true, includes the <c>WWW-Authenticate</c> header in 401 responses. |
| | | 58 | | /// <para>Default: <c>true</c>.</para> |
| | | 59 | | /// <para>Set to <c>false</c> to suppress automatic hints to clients.</para> |
| | | 60 | | /// </summary> |
| | 50 | 61 | | public bool EmitChallengeHeader { get; set; } = true; |
| | | 62 | | |
| | | 63 | | /// <summary> |
| | | 64 | | /// Format for the <c>WWW-Authenticate</c> header in 401 responses. |
| | | 65 | | /// <para> |
| | | 66 | | /// If set to <c>ApiKeyHeader</c>, emits <c>ApiKey header="X-Api-Key"</c>. |
| | | 67 | | /// If set to <c>HeaderOnly</c>, emits just the header name. |
| | | 68 | | /// </para> |
| | | 69 | | /// </summary> |
| | 10 | 70 | | public ApiKeyChallengeFormat ChallengeHeaderFormat { get; set; } = ApiKeyChallengeFormat.ApiKeyHeader; |
| | | 71 | | |
| | | 72 | | /// <summary> |
| | | 73 | | /// Called to validate the raw key string. Return true if valid. |
| | | 74 | | /// <para>This is called for every request, so it should be fast.</para> |
| | | 75 | | /// </summary> |
| | 44 | 76 | | public Func<HttpContext, string, byte[], Task<bool>> ValidateKeyAsync { get; set; } = (_, _, _) => Task.FromResult(f |
| | | 77 | | |
| | | 78 | | /// <summary> |
| | | 79 | | /// Settings for the authentication code, if using a script. |
| | | 80 | | /// </summary> |
| | | 81 | | /// <remarks> |
| | | 82 | | /// This allows you to specify the language, code, and additional imports/refs. |
| | | 83 | | /// </remarks> |
| | 45 | 84 | | public AuthenticationCodeSettings ValidateCodeSettings { get; set; } = new(); |
| | | 85 | | |
| | | 86 | | /// <summary> |
| | | 87 | | /// After credentials are valid, this is called to add extra Claims. |
| | | 88 | | /// Parameters: HttpContext, username → IEnumerable of extra claims. |
| | | 89 | | /// </summary> |
| | 14 | 90 | | public Func<HttpContext, string, Task<IEnumerable<Claim>>>? IssueClaims { get; set; } |
| | | 91 | | |
| | | 92 | | /// <summary> |
| | | 93 | | /// Settings for the claims issuing code, if using a script. |
| | | 94 | | /// </summary> |
| | | 95 | | /// <remarks> |
| | | 96 | | /// This allows you to specify the language, code, and additional imports/refs for claims issuance. |
| | | 97 | | /// </remarks> |
| | 45 | 98 | | public AuthenticationCodeSettings IssueClaimsCodeSettings { get; set; } = new(); |
| | | 99 | | |
| | | 100 | | /// <summary> |
| | | 101 | | /// Gets or sets the claim policy configuration. |
| | | 102 | | /// </summary> |
| | | 103 | | /// <remarks> |
| | | 104 | | /// This allows you to define multiple authorization policies based on claims. |
| | | 105 | | /// Each policy can specify a claim type and allowed values. |
| | | 106 | | /// </remarks> |
| | 9 | 107 | | public ClaimPolicyConfig? ClaimPolicyConfig { get; set; } |
| | | 108 | | } |