Add JWT support for the frontend changes

Author: Blackburn29

src/Fragment.NetSlum.Server/Api/Controllers/LobbiesController.cs

@@ -2,12 +2,14 @@
 using Fragment.NetSlum.Networking.Stores;
 using Fragment.NetSlum.Server.Api.Models;
 using Fragment.NetSlum.Server.Mappings;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 
 namespace Fragment.NetSlum.Server.Api.Controllers;
 
 [ApiController]
 [Route("api/[controller]")]
+[Authorize]
 public class LobbiesController : ControllerBase
 {
     private readonly ChatLobbyStore _lobbyStore;

src/Fragment.NetSlum.Server/Authentication/Configuration/DiscordAuthOptions.cs

@@ -0,0 +1,6 @@
+namespace Fragment.NetSlum.Server.Authentication.Configuration;
+
+public class DiscordAuthOptions
+{
+    public string JwtSecret { get; set; } = default!;
+}

src/Fragment.NetSlum.Server/Authentication/DiscordJwtTokenHandler.cs

@@ -0,0 +1,34 @@
+using System;
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Security.Cryptography;
+using System.Text;
+using Fragment.NetSlum.Server.Authentication.Configuration;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+
+namespace Fragment.NetSlum.Server.Authentication;
+
+public class DiscordJwtTokenHandler : JwtSecurityTokenHandler
+{
+    private readonly IOptions<DiscordAuthOptions> _options;
+
+    public DiscordJwtTokenHandler(IOptions<DiscordAuthOptions> options)
+    {
+        _options = options;
+    }
+
+    public override ClaimsPrincipal ValidateToken(string token, TokenValidationParameters validationParameters, out SecurityToken validatedToken)
+    {
+        var iv = MD5.HashData(Encoding.UTF8.GetBytes(_options.Value.JwtSecret));
+
+        using var aes = Aes.Create();
+        aes.KeySize = 256;
+        aes.Key = Encoding.UTF8.GetBytes(_options.Value.JwtSecret);
+        aes.IV = iv;
+        aes.Mode = CipherMode.CBC;
+        aes.Padding = PaddingMode.PKCS7;
+
+        return base.ValidateToken(token, validationParameters, out validatedToken);
+    }
+}

src/Fragment.NetSlum.Server/Fragment.NetSlum.Server.csproj

@@ -16,6 +16,7 @@
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
         </PackageReference>
+        <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.19" />
         <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="8.0.19">
           <PrivateAssets>all</PrivateAssets>
           <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
@@ -29,6 +30,7 @@
         <PackageReference Include="NSwag.AspNetCore" Version="14.5.0" />
         <PackageReference Include="Riok.Mapperly" Version="4.2.1" />
         <PackageReference Include="Serilog.AspNetCore" Version="9.0.0" />
+        <PackageReference Include="Serilog.Enrichers.ClientInfo" Version="2.3.0" />
         <PackageReference Include="Serilog.Settings.Configuration" Version="9.0.0" />
         <PackageReference Include="Serilog.Sinks.Console" Version="6.0.0" />
         <PackageReference Include="Serilog.Sinks.File" Version="7.0.0" />

src/Fragment.NetSlum.Server/Startup.cs

@@ -1,25 +1,33 @@
 using System.Data;
+using System.Net.Http.Headers;
+using System.Security.Cryptography;
 using System.Text;
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using System.Threading.Tasks;
 using Fragment.NetSlum.Core.CommandBus;
 using Fragment.NetSlum.Networking.Extensions;
 using Fragment.NetSlum.Networking.Stores;
 using Fragment.NetSlum.Persistence;
 using Fragment.NetSlum.Persistence.Extensions;
 using Fragment.NetSlum.Persistence.Interceptors;
 using Fragment.NetSlum.Persistence.Listeners;
+using Fragment.NetSlum.Server.Authentication;
+using Fragment.NetSlum.Server.Authentication.Configuration;
 using Fragment.NetSlum.Server.Converters;
 using Fragment.NetSlum.Server.Servers;
 using Fragment.NetSlum.Server.Services;
 using Fragment.NetSlum.TcpServer;
 using HealthChecks.UI.Client;
+using Microsoft.AspNetCore.Authentication.JwtBearer;
 using Microsoft.AspNetCore.Builder;
 using Microsoft.AspNetCore.Diagnostics.HealthChecks;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
 using Serilog;
 
 namespace Fragment.NetSlum.Server;
@@ -40,7 +48,8 @@ public void ConfigureServices(IServiceCollection services)
         // Add failsafe to ensure the database is never executed on the original one
         if (connectionString!.Contains("Database=fragment;"))
         {
-            throw new ConstraintException("Auto-migrations have been disabled. The connection string contains the old database information!");
+            throw new ConstraintException(
+                "Auto-migrations have been disabled. The connection string contains the old database information!");
         }
 
         services
@@ -69,13 +78,49 @@ public void ConfigureServices(IServiceCollection services)
             .AddDbContextCheck<FragmentContext>()
             .AddPrivateMemoryHealthCheck(2147483648)
             .AddProcessAllocatedMemoryHealthCheck(2048)
-        ;
+            ;
+
+        services.Configure<DiscordAuthOptions>(Configuration.GetSection("Authentication"));
+
+        services.AddAuthentication()
+            .AddJwtBearer(JwtBearerDefaults.AuthenticationScheme);
+
+        services.AddOptions<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme)
+            .Configure<IOptions<DiscordAuthOptions>>((options, discordOptions) =>
+            {
+                options.TokenHandlers.Clear();
+                options.TokenHandlers.Add(new DiscordJwtTokenHandler(discordOptions));
+
+                options.Events = new JwtBearerEvents
+                {
+                    // Allow the JWT policy to accept the token from either the Authorization header, or the 'token' cookie
+                    // supplied in the request
+                    OnMessageReceived = context =>
+                    {
+                        context.Token = context.HttpContext.Request.Headers.TryGetValue("Authorization", out var bearerToken)
+                            ? AuthenticationHeaderValue.Parse(bearerToken.ToString()).Parameter
+                            : context.HttpContext.Request.Cookies["netslum-token"];
+
+                        return Task.CompletedTask;
+                    },
+                };
+
+                options.MapInboundClaims = true;
+                options.IncludeErrorDetails = true;
+                options.TokenValidationParameters = new TokenValidationParameters
+                {
+                    RequireSignedTokens = true,
+                    ValidateAudience = false,
+                    ValidateIssuer = false,
+                    ValidateIssuerSigningKey = true,
+                    IncludeTokenOnFailedValidation = true,
+                    ValidateLifetime = true,
+                    IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(discordOptions.Value.JwtSecret)),
+                };
+            });
 
         // Register command bus
-        services.AddMediator(opt =>
-        {
-            opt.ServiceLifetime = ServiceLifetime.Transient;
-        });
+        services.AddMediator(opt => { opt.ServiceLifetime = ServiceLifetime.Transient; });
         services.AddScoped<ICommandBus, MediatorCommandBus>();
 
         services.AddOpenApiDocument(doc =>
@@ -99,19 +144,30 @@ public void ConfigureServices(IServiceCollection services)
 
     public void Configure(IApplicationBuilder app, IHostEnvironment env)
     {
+        app.UseSerilogRequestLogging(o =>
+        {
+            o.MessageTemplate =
+                "HTTP [{ClientIp}] {RequestMethod} {RequestPath} responded {StatusCode} in {Elapsed:0.0000} ms";
+            o.IncludeQueryInRequestPath = true;
+        });
+
         app.UseRouting();
         app.UseCors(opt =>
         {
+            opt.SetIsOriginAllowedToAllowWildcardSubdomains();
             opt.AllowAnyHeader();
             opt.AllowAnyMethod();
-            opt.AllowAnyOrigin();
+            opt.WithOrigins(Configuration.GetValue<string>("AllowedOrigins")?.Split(",") ?? ["*"])
+                .AllowCredentials();
         });
 
         app.UseHealthChecks("/api/health", new HealthCheckOptions
         {
             ResponseWriter = UIResponseWriter.WriteHealthCheckUIResponse,
         });
 
+        app.UseAuthentication();
+        app.UseAuthorization();
         app.UseStaticFiles();
         app.UseOpenApi();
         app.UseSwaggerUi(opt =>

src/Fragment.NetSlum.Server/serverConfig.Production.json

@@ -1,6 +1,7 @@
 {
     "Serilog": {
         "Using": [
+            "Serilog.Enrichers.ClientInfo",
             "Serilog.Sinks.Console"
         ],
         "MinimumLevel": {
@@ -12,7 +13,8 @@
         },
         "Enrich": [
             "FromLogContext",
-            "WithMachineName"
+            "WithMachineName",
+            "WithClientIp"
         ],
         "WriteTo": [
             {

src/Fragment.NetSlum.Server/serverConfig.json

@@ -1,37 +1,44 @@
 {
-  "Serilog": {
-    "Using": [
-      "Serilog.Sinks.Console"
-    ],
-    "MinimumLevel": {
-      "Default": "Debug",
-      "Override": {
-        "Microsoft.AspNetCore": "Warning",
-        "Microsoft.EntityFrameworkCore": "Warning"
-      }
-    },
-    "Enrich": [
-      "FromLogContext",
-      "WithMachineName"
-    ],
-    "WriteTo": [
-      {
-        "Name": "Console",
-        "Args": {
-          "outputTemplate": "[{Timestamp:HH:mm:ss.fff}] [{Application}] [{Level:u3}] [{RequestId}] [{SourceContext}]: {Message:lj}{NewLine}{Exception}"
+    "Serilog": {
+        "Using": [
+            "Serilog.Enrichers.ClientInfo",
+            "Serilog.Sinks.Console"
+        ],
+        "MinimumLevel": {
+            "Default": "Debug",
+            "Override": {
+                "Microsoft.AspNetCore": "Warning",
+                "Microsoft.AspNetCore.Authentication": "Information",
+                "Microsoft.EntityFrameworkCore": "Warning"
+            }
+        },
+        "Enrich": [
+            "FromLogContext",
+            "WithMachineName",
+            "WithClientIp"
+        ],
+        "WriteTo": [
+            {
+                "Name": "Console",
+                "Args": {
+                    "outputTemplate": "[{Timestamp:HH:mm:ss.fff}] [{Application}] [{Level:u3}] [{RequestId}] [{SourceContext}]: {Message:lj}{NewLine}{Exception}"
+                }
+            }
+        ],
+        "Properties": {
+            "Application": "Fragment.NetSlum.Server",
+            "Environment": "local"
         }
-      }
-    ],
-    "Properties": {
-      "Application": "Fragment.NetSlum.Server",
-      "Environment": "local"
-    }
-  },
-  "ConnectionStrings": {
-    "Database": ""
-  },
-  "TcpServer": {
-    "IpAddress": "0.0.0.0",
-    "Port": 49000
-  }
+    },
+    "ConnectionStrings": {
+        "Database": ""
+    },
+    "TcpServer": {
+        "IpAddress": "0.0.0.0",
+        "Port": 49000
+    },
+    "Authentication": {
+        "JwtSecret": ""
+    },
+    "AllowedOrigins": "http://localhost:3000,https://fragment.psrewired.com"
 }