feat(security): AutoLoginAuthenticationHandler — all-roles system-wide dev auto-login
This commit is contained in:
Joseph Doherty
@@ -0,0 +1,60 @@
|
||||
using System.Security.Claims;
|
||||
using System.Text.Encodings.Web;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
|
||||
namespace ZB.MOM.WW.ScadaBridge.Security.Auth;
|
||||
|
||||
/// <summary>
|
||||
/// Auth handler used ONLY when <see cref="AuthDisableLoginOptions.DisableLogin"/> is true.
|
||||
/// Registered under the cookie scheme name, it authenticates EVERY request as the configured
|
||||
/// dev user with all <see cref="Roles.All"/> roles, system-wide — no credential check, no cookie.
|
||||
/// The minted principal mirrors a real login (it reuses <see cref="SessionClaimBuilder"/>).
|
||||
/// Dev/test ONLY.
|
||||
/// </summary>
|
||||
public sealed class AutoLoginAuthenticationHandler
|
||||
: AuthenticationHandler<AuthenticationSchemeOptions>, IAuthenticationSignInHandler
|
||||
{
|
||||
private readonly AuthDisableLoginOptions _opts;
|
||||
private readonly TimeProvider _clock;
|
||||
|
||||
/// <summary>Initializes the handler with the scheme plumbing, the disable-login options, and the clock.</summary>
|
||||
public AutoLoginAuthenticationHandler(
|
||||
IOptionsMonitor<AuthenticationSchemeOptions> options,
|
||||
ILoggerFactory logger,
|
||||
UrlEncoder encoder,
|
||||
IOptions<AuthDisableLoginOptions> disableLoginOptions,
|
||||
TimeProvider clock)
|
||||
: base(options, logger, encoder)
|
||||
{
|
||||
_opts = disableLoginOptions.Value;
|
||||
_clock = clock;
|
||||
}
|
||||
|
||||
/// <summary>No-op: auto-login writes no cookie, so an explicit sign-in has nothing to persist.</summary>
|
||||
public Task SignInAsync(ClaimsPrincipal user, AuthenticationProperties? properties) => Task.CompletedTask;
|
||||
|
||||
/// <summary>No-op: there is no auth cookie to clear; the next request re-authenticates via this handler.</summary>
|
||||
public Task SignOutAsync(AuthenticationProperties? properties) => Task.CompletedTask;
|
||||
|
||||
/// <inheritdoc />
|
||||
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
|
||||
{
|
||||
var user = string.IsNullOrWhiteSpace(_opts.User) ? "multi-role" : _opts.User;
|
||||
|
||||
// All roles, system-wide (no site-scope claims). Reuse the canonical builder so the
|
||||
// principal is shape-identical to a real all-roles system-wide login.
|
||||
var mapping = new RoleMappingResult(Roles.All, [], IsSystemWideDeployment: true);
|
||||
var principal = SessionClaimBuilder.Build(
|
||||
username: user,
|
||||
displayName: user,
|
||||
groups: [],
|
||||
mapping: mapping,
|
||||
refreshTimestamp: _clock.GetUtcNow());
|
||||
|
||||
var ticket = new AuthenticationTicket(principal, Scheme.Name);
|
||||
return Task.FromResult(AuthenticateResult.Success(ticket));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user