feat(security): AutoLoginAuthenticationHandler for dev login bypass
This commit is contained in:
Joseph Doherty
@@ -0,0 +1,56 @@
|
||||
using System.Security.Claims;
|
||||
using System.Text.Encodings.Web;
|
||||
using Microsoft.AspNetCore.Authentication;
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
using ZB.MOM.WW.Auth.AspNetCore; // ZbClaimTypes — same source AuthEndpoints mints claims from.
|
||||
|
||||
namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
|
||||
|
||||
/// <summary>
|
||||
/// Auth handler used ONLY when <see cref="AuthDisableLoginOptions.DisableLogin"/> is true.
|
||||
/// Registered under the cookie scheme name, it authenticates EVERY request as the configured
|
||||
/// dev user with all <see cref="DevAuthRoles.All"/> roles — no credential check, no cookie.
|
||||
/// The minted principal mirrors the shape the real login (AuthEndpoints) produces.
|
||||
/// </summary>
|
||||
public sealed class AutoLoginAuthenticationHandler
|
||||
: AuthenticationHandler<AuthenticationSchemeOptions>
|
||||
{
|
||||
private readonly AuthDisableLoginOptions _opts;
|
||||
|
||||
/// <summary>Initializes the handler with the scheme plumbing and the disable-login options.</summary>
|
||||
/// <param name="options">The per-scheme authentication options monitor.</param>
|
||||
/// <param name="logger">The logger factory the base handler uses.</param>
|
||||
/// <param name="encoder">The URL encoder the base handler uses.</param>
|
||||
/// <param name="disableLoginOptions">The disable-login dev flag and configured username.</param>
|
||||
public AutoLoginAuthenticationHandler(
|
||||
IOptionsMonitor<AuthenticationSchemeOptions> options,
|
||||
ILoggerFactory logger,
|
||||
UrlEncoder encoder,
|
||||
IOptions<AuthDisableLoginOptions> disableLoginOptions)
|
||||
: base(options, logger, encoder)
|
||||
=> _opts = disableLoginOptions.Value;
|
||||
|
||||
/// <inheritdoc />
|
||||
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
|
||||
{
|
||||
var user = string.IsNullOrWhiteSpace(_opts.User) ? "multi-role-test" : _opts.User;
|
||||
|
||||
var claims = new List<Claim>
|
||||
{
|
||||
// ZbClaimTypes.Name = ClaimTypes.Name — populates Identity.Name canonically.
|
||||
new(ZbClaimTypes.Name, user),
|
||||
new(ZbClaimTypes.Username, user),
|
||||
new(ZbClaimTypes.DisplayName, user),
|
||||
};
|
||||
foreach (var role in DevAuthRoles.All)
|
||||
// ZbClaimTypes.Role = ClaimTypes.Role — framework [Authorize(Roles=...)] + IsInRole work.
|
||||
claims.Add(new Claim(ZbClaimTypes.Role, role));
|
||||
|
||||
var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
|
||||
var principal = new ClaimsPrincipal(identity);
|
||||
var ticket = new AuthenticationTicket(principal, Scheme.Name);
|
||||
return Task.FromResult(AuthenticateResult.Success(ticket));
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user