✨ Auth factors APIs

2025-06-03 23:50:34 +08:00 · 2025-06-03 23:50:34 +08:00 · 49d5ee6184
commit 49d5ee6184
parent e62b2cc5ff
5 changed files with 193 additions and 30 deletions
--- a/DysonNetwork.Sphere/Account/Account.cs
+++ b/DysonNetwork.Sphere/Account/Account.cs
@ -5,6 +5,7 @@ using DysonNetwork.Sphere.Permission;
 using DysonNetwork.Sphere.Storage;
 using Microsoft.EntityFrameworkCore;
 using NodaTime;
+using OtpNet;

 namespace DysonNetwork.Sphere.Account;

@ -21,7 +22,7 @@ public class Account : ModelBase
    public Profile Profile { get; set; } = null!;
    public ICollection<AccountContact> Contacts { get; set; } = new List<AccountContact>();
    public ICollection<Badge> Badges { get; set; } = new List<Badge>();
-    
+
    [JsonIgnore] public ICollection<AccountAuthFactor> AuthFactors { get; set; } = new List<AccountAuthFactor>();
    [JsonIgnore] public ICollection<Auth.Session> Sessions { get; set; } = new List<Auth.Session>();
    [JsonIgnore] public ICollection<Auth.Challenge> Challenges { get; set; } = new List<Auth.Challenge>();
@ -32,18 +33,19 @@ public class Account : ModelBase

 public abstract class Leveling
 {
-    public static readonly List<int> ExperiencePerLevel = [
-        0,      // Level 0
-        100,    // Level 1
-        250,    // Level 2
-        500,    // Level 3
-        1000,   // Level 4
-        2000,   // Level 5
-        4000,   // Level 6
-        8000,   // Level 7
-        16000,  // Level 8
-        32000,  // Level 9
-        64000,  // Level 10
+    public static readonly List<int> ExperiencePerLevel =
+    [
+        0, // Level 0
+        100, // Level 1
+        250, // Level 2
+        500, // Level 3
+        1000, // Level 4
+        2000, // Level 5
+        4000, // Level 6
+        8000, // Level 7
+        16000, // Level 8
+        32000, // Level 9
+        64000, // Level 10
        128000, // Level 11
        256000, // Level 12
        512000, // Level 13
@ -62,17 +64,20 @@ public class Profile : ModelBase
    [MaxLength(1024)] public string? Pronouns { get; set; }
    public Instant? Birthday { get; set; }
    public Instant? LastSeenAt { get; set; }
-    
+
    public int Experience { get; set; } = 0;
    [NotMapped] public int Level => Leveling.ExperiencePerLevel.Count(xp => Experience >= xp) - 1;
-    [NotMapped] public double LevelingProgress => Level >= Leveling.ExperiencePerLevel.Count - 1 ? 100 : 
-        (Experience - Leveling.ExperiencePerLevel[Level]) * 100.0 / 
-        (Leveling.ExperiencePerLevel[Level + 1] - Leveling.ExperiencePerLevel[Level]);
+
+    [NotMapped]
+    public double LevelingProgress => Level >= Leveling.ExperiencePerLevel.Count - 1
+        ? 100
+        : (Experience - Leveling.ExperiencePerLevel[Level]) * 100.0 /
+          (Leveling.ExperiencePerLevel[Level + 1] - Leveling.ExperiencePerLevel[Level]);

    // Outdated fields, for backward compability
    [MaxLength(32)] public string? PictureId { get; set; }
    [MaxLength(32)] public string? BackgroundId { get; set; }
-    
+
    [Column(TypeName = "jsonb")] public CloudFileReferenceObject? Picture { get; set; }
    [Column(TypeName = "jsonb")] public CloudFileReferenceObject? Background { get; set; }

@ -102,7 +107,18 @@ public class AccountAuthFactor : ModelBase
 {
    public Guid Id { get; set; }
    public AccountAuthFactorType Type { get; set; }
-    [MaxLength(8196)] public string? Secret { get; set; } = null;
+    [MaxLength(8196)] public string? Secret { get; set; }
+    [Column(TypeName = "jsonb")] public Dictionary<string, object>? Config { get; set; } = new();
+
+    /// <summary>
+    /// The trustworthy stands for how safe is this auth factor.
+    /// Basically, it affects how many steps it can complete in authentication.
+    /// Besides, users may need to use some high trustworthy level auth factors when confirming some dangerous operations.
+    /// </summary>
+    public int Trustworthy { get; set; } = 1;
+
+    public Instant? EnabledAt { get; set; }
+    public Instant? ExpiredAt { get; set; }

    public Guid AccountId { get; set; }
    [JsonIgnore] public Account Account { get; set; } = null!;
@ -118,8 +134,24 @@ public class AccountAuthFactor : ModelBase
    {
        if (Secret == null)
            throw new InvalidOperationException("Auth factor with no secret cannot be verified with password.");
-        return BCrypt.Net.BCrypt.Verify(password, Secret);
+        switch (Type)
+        {
+            case AccountAuthFactorType.Password:
+                return BCrypt.Net.BCrypt.Verify(password, Secret);
+            case AccountAuthFactorType.TimedCode:
+                var otp = new Totp(Base32Encoding.ToBytes(Secret));
+                return otp.VerifyTotp(DateTime.UtcNow, password, out _, new VerificationWindow(previous: 5, future: 5));
+            default:
+                throw new InvalidOperationException("Unsupported verification type, use CheckDeliveredCode instead.");
+        }
    }
+
+    /// <summary>
+    /// This dictionary will be returned to the client and should only be set when it just created.
+    /// Useful for passing the client some data to finishing setup and recovery code.
+    /// </summary>
+    [NotMapped]
+    public Dictionary<string, object>? CreatedResponse { get; set; }
 }

 public enum AccountAuthFactorType
--- a/DysonNetwork.Sphere/Account/AccountCurrentController.cs
+++ b/DysonNetwork.Sphere/Account/AccountCurrentController.cs
@ -15,7 +15,6 @@ namespace DysonNetwork.Sphere.Account;
 public class AccountCurrentController(
    AppDatabase db,
    AccountService accounts,
-    FileService fs,
    FileReferenceService fileRefService,
    AccountEventService events,
    AuthService auth
@ -93,8 +92,10 @@ public class AccountCurrentController(
            var profileResourceId = $"profile:{profile.Id}";

            // Remove old references for the profile picture
-            if (profile.Picture is not null) {
-                var oldPictureRefs = await fileRefService.GetResourceReferencesAsync(profileResourceId, "profile.picture");
+            if (profile.Picture is not null)
+            {
+                var oldPictureRefs =
+                    await fileRefService.GetResourceReferencesAsync(profileResourceId, "profile.picture");
                foreach (var oldRef in oldPictureRefs)
                {
                    await fileRefService.DeleteReferenceAsync(oldRef.Id);
@ -105,8 +106,8 @@ public class AccountCurrentController(

            // Create new reference
            await fileRefService.CreateReferenceAsync(
-                picture.Id, 
-                "profile.picture", 
+                picture.Id,
+                "profile.picture",
                profileResourceId
            );
        }
@ -119,8 +120,10 @@ public class AccountCurrentController(
            var profileResourceId = $"profile:{profile.Id}";

            // Remove old references for the profile background
-            if (profile.Background is not null) {
-                var oldBackgroundRefs = await fileRefService.GetResourceReferencesAsync(profileResourceId, "profile.background");
+            if (profile.Background is not null)
+            {
+                var oldBackgroundRefs =
+                    await fileRefService.GetResourceReferencesAsync(profileResourceId, "profile.background");
                foreach (var oldRef in oldBackgroundRefs)
                {
                    await fileRefService.DeleteReferenceAsync(oldRef.Id);
@ -131,8 +134,8 @@ public class AccountCurrentController(

            // Create new reference
            await fileRefService.CreateReferenceAsync(
-                background.Id, 
-                "profile.background", 
+                background.Id,
+                "profile.background",
                profileResourceId
            );
        }
@ -334,8 +337,48 @@ public class AccountCurrentController(
        return Ok(factors);
    }

+    public class AuthFactorRequest
+    {
+        public AccountAuthFactorType Type { get; set; }
+        public string? Secret { get; set; }
+    }
+
+    [HttpPost("factors")]
+    [Authorize]
+    public async Task<ActionResult<AccountAuthFactor>> CreateAuthFactor([FromBody] AuthFactorRequest request)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
+        if (await accounts.CheckAuthFactorExists(currentUser, request.Type))
+            return BadRequest($"Auth factor with type {request.Type} is already exists.");
+        
+        var factor = await accounts.CreateAuthFactor(currentUser, request.Type, request.Secret);
+        return Ok(factor);
+    }
+
+    [HttpPost("factors/{id:guid}")]
+    [Authorize]
+    public async Task<ActionResult<AccountAuthFactor>> CreateAuthFactor(Guid id, [FromBody] string code)
+    {
+        if (HttpContext.Items["CurrentUser"] is not Account currentUser) return Unauthorized();
+        
+        var factor = await db.AccountAuthFactors
+            .Where(f => f.AccountId == id && f.Id == id)
+            .FirstOrDefaultAsync();
+        if(factor is null) return NotFound();
+
+        try
+        {
+            factor = await accounts.EnableAuthFactor(factor, code);
+            return Ok(factor);
+        }
+        catch (Exception ex)
+        {
+            return BadRequest(ex.Message);
+        }
+    }
+
    [HttpGet("sessions")]
-    public async Task<ActionResult<List<Auth.Session>>> GetSessions(
+    public async Task<ActionResult<List<Session>>> GetSessions(
        [FromQuery] int take = 20,
        [FromQuery] int offset = 0
    )
--- a/DysonNetwork.Sphere/Account/AccountService.cs
+++ b/DysonNetwork.Sphere/Account/AccountService.cs
@ -2,6 +2,7 @@ using DysonNetwork.Sphere.Storage;
 using EFCore.BulkExtensions;
 using Microsoft.EntityFrameworkCore;
 using NodaTime;
+using OtpNet;

 namespace DysonNetwork.Sphere.Account;

@ -64,6 +65,91 @@ public class AccountService(
        await spells.NotifyMagicSpell(spell);
    }

+    public async Task<bool> CheckAuthFactorExists(Account account, AccountAuthFactorType type)
+    {
+        var isExists = await db.AccountAuthFactors
+            .Where(x => x.AccountId == account.Id && x.Type == type)
+            .AnyAsync();
+        return isExists;
+    }
+
+    public async Task<AccountAuthFactor?> CreateAuthFactor(Account account, AccountAuthFactorType type, string? secret)
+    {
+        AccountAuthFactor? factor = null;
+        switch (type)
+        {
+            case AccountAuthFactorType.Password:
+                if (string.IsNullOrWhiteSpace(secret)) throw new ArgumentNullException(nameof(secret));
+                factor = new AccountAuthFactor
+                {
+                    Type = AccountAuthFactorType.Password,
+                    Trustworthy = 1,
+                    AccountId = account.Id,
+                    Secret = secret,
+                    EnabledAt = SystemClock.Instance.GetCurrentInstant(),
+                }.HashSecret();
+                break;
+            case AccountAuthFactorType.EmailCode:
+                factor = new AccountAuthFactor
+                {
+                    Type = AccountAuthFactorType.EmailCode,
+                    Trustworthy = 2,
+                    EnabledAt = SystemClock.Instance.GetCurrentInstant(),
+                };
+                break;
+            case AccountAuthFactorType.InAppCode:
+                factor = new AccountAuthFactor
+                {
+                    Type = AccountAuthFactorType.InAppCode,
+                    Trustworthy = 1,
+                    EnabledAt = SystemClock.Instance.GetCurrentInstant()
+                };
+                break;
+            case AccountAuthFactorType.TimedCode:
+                var skOtp = KeyGeneration.GenerateRandomKey(20);
+                var skOtp32 = Base32Encoding.ToString(skOtp);
+                factor = new AccountAuthFactor
+                {
+                    Secret = skOtp32,
+                    Type = AccountAuthFactorType.InAppCode,
+                    Trustworthy = 2,
+                    EnabledAt = null, // It needs to be tired once to enable
+                    CreatedResponse = new Dictionary<string, object>
+                    {
+                        ["uri"] = new OtpUri(
+                            OtpType.Totp,
+                            skOtp32,
+                            account.Id.ToString(),
+                            "Solar Network"
+                        ).ToString(),
+                    }
+                };
+                break;
+            default:
+                throw new ArgumentOutOfRangeException(nameof(type), type, null);
+        }
+
+        if (factor is null) throw new InvalidOperationException("Unable to create auth factor.");
+        db.AccountAuthFactors.Add(factor);
+        await db.SaveChangesAsync();
+        return factor;
+    }
+
+    public async Task<AccountAuthFactor> EnableAuthFactor(AccountAuthFactor factor, string code)
+    {
+        if (factor.EnabledAt is not null) throw new ArgumentException("The factor has been enabled.");
+        if (!factor.VerifyPassword(code))
+            throw new InvalidOperationException(
+                "Invalid code, you need to enter the correct code to enable the factor."
+            );
+        
+        factor.EnabledAt = SystemClock.Instance.GetCurrentInstant();
+        db.Update(factor);
+        await db.SaveChangesAsync();
+
+        return factor;
+    }
+
    /// Maintenance methods for server administrator
    public async Task EnsureAccountProfileCreated()
    {
--- a/DysonNetwork.Sphere/DysonNetwork.Sphere.csproj
+++ b/DysonNetwork.Sphere/DysonNetwork.Sphere.csproj
@ -53,6 +53,7 @@
        <PackageReference Include="OpenTelemetry.Instrumentation.AspNetCore" Version="1.12.0" />
        <PackageReference Include="OpenTelemetry.Instrumentation.Http" Version="1.12.0" />
        <PackageReference Include="OpenTelemetry.Instrumentation.Runtime" Version="1.12.0" />
+        <PackageReference Include="Otp.NET" Version="1.4.0" />
        <PackageReference Include="prometheus-net.AspNetCore" Version="8.2.1" />
        <PackageReference Include="prometheus-net.AspNetCore.HealthChecks" Version="8.2.1" />
        <PackageReference Include="prometheus-net.DotNetRuntime" Version="4.4.1" />
--- a/DysonNetwork.sln.DotSettings.user
+++ b/DysonNetwork.sln.DotSettings.user
@ -76,6 +76,7 @@
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AStatusCodeResult_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F0b5acdd962e549369896cece0026e556214600_003F7c_003F8b7572ae_003FStatusCodeResult_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATagging_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FSourcesCache_003F36f4c2e6baa65ba603de42eedad12ea36845aa35a910a6a82d82baf688e3e1_003FTagging_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AThrowHelper_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E1_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003Fb6f0571a6bc744b0b551fd4578292582e54c00_003F12_003Fe0a28ad6_003FThrowHelper_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
+	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATotp_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E1_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F48c9d2a1b3c84b32b36ebc6f20a927ea4600_003F7b_003Ff98e5727_003FTotp_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATusDiskStore_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8bb08a178b5b43c5bac20a5a54159a5b2a800_003Fe1_003Fefd9af34_003FTusDiskStore_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003ATusDiskStore_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2025_002E1_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F8bb08a178b5b43c5bac20a5a54159a5b2a800_003F1c_003F21999acd_003FTusDiskStore_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>
 	<s:String x:Key="/Default/CodeInspection/ExcludedFiles/FilesAndFoldersToSkip2/=7020124F_002D9FFC_002D4AC3_002D8F3D_002DAAB8E0240759_002Ff_003AUri_002Ecs_002Fl_003A_002E_002E_003F_002E_002E_003F_002E_002E_003FLibrary_003FApplication_0020Support_003FJetBrains_003FRider2024_002E3_003Fresharper_002Dhost_003FDecompilerCache_003Fdecompiler_003F5d2c480da9be415dab9be535bb6d08713cc00_003Fd0_003Fffc36a51_003FUri_002Ecs/@EntryIndexedValue">ForceIncluded</s:String>