- Updates API key extraction to also accept "Bearer" auth header. This is necessary for non-cookie based SignalR connections.
- Adds authentication related models to the client lib
- Succeeds and replaces #6484.
* Server Users: More precise message when inviting users
This lets the admin who invited a new user know whether or not an email has been sent. If the SMTP server hasn't been set up, they need to share the invite link with the user.
* Onboarding: Invite new users
- Separates the user self-registration and invite cases
- Adds invitation email for users created by the admin
- Adds invitation tokens to verify user was invited
- Adds handler action for invite links
- Refactors `UserEventHostedService`
* Remove duplicate status message from views that use the wizard layout
* Auto-approve users created by an admin
* Notify admins via email if a new account requires approval
* Update wording
* Fix update user error
* Fix redirect to email confirmation in invite action
* Fix precondition checks after signup
* Improve admin notification
Send notification only if the user does not require email confirmation or when they confirmed their email address. Rationale: We want to inform admins only about qualified users and not annoy them with bot registrations.
* Allow approval alongside resending confirm email
* Use user email in log messages instead of ID
* Prevent unnecessary notification after email confirmation
* Use ApplicationUser type explicitly
* Fix after rebase
* Refactoring: Do not subclass UserRegisteredEvent
* Admin overview of the stores on the instance
POC/Draft for #5674.
* Enable admin to access foreign stores
* Remove stores list link
* UI updates
* Grant admins guest access to foreign stores
* Optimize cookie auth handler
* Test fix
* Revert changes related to StoreRepository.FindStore with isAdmin
* Users list: Cleanups
* Policies: Flip registration settings
* Policies: Add RequireUserApproval setting
* Add approval to user
* Require approval on login and for API key
* API handling
* AccountController cleanups
* Test fix
* Apply suggestions from code review
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
* Add missing imports
* Communicate login requirements to user on account creation
* Add login requirements to basic auth handler
* Cleanups and test fix
* Encapsulate approval logic in user service and log approval changes
* Send follow up "Account approved" email
Closes#5656.
* Add notification for admins
* Fix creating a user via the admin view
* Update list: Unify flags into status column, add approve action
* Adjust "Resend email" wording
* Incorporate feedback from code review
* Remove duplicate test server policy reset
---------
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
Fixes#5698. Before this, the app lookup was constrained by the user having at least `CanModifyStoreSettings` permissions. This changes it to require the user being associated with a store, leaving the fine-grained authorization checks up to the individual actions.
* Adapt cookie auth to work with same API permission system
* Handle unscoped store permission case
* Do not consider Unscoped as a valid policy
* Add tests
* Refactor permissions scopes
---------
Co-authored-by: Dennis Reimann <mail@dennisreimann.de>
Co-authored-by: nicolas.dorier <nicolas.dorier@gmail.com>
* Greenfield: Admins can create/delete API keys of any user
* Greenfield: Improve doc for scoped apikey (Close#4673)
* Fix permissions hierarchy
* Update BTCPayServer.Client/Permissions.cs
* Fix tests
---------
Co-authored-by: Andrew Camilleri <evilkukka@gmail.com>
* Editorconfig: Add space_before_self_closing setting
This was a difference between the way dotnet-format and Rider format code. See https://www.jetbrains.com/help/rider/EditorConfig_Index.html
* Editorconfig: Keep 4 spaces indentation for Swagger JSON files
They are all formatted that way, let's keep it like that.
* Apply dotnet-format, mostly white-space related changes
* Plugins: Add authorization hook
Makes the `PolicyRequirement` available to plugins.
Adds a filter hook to the authorization handlers, so that plugins can extend and leverage the existing authorization policies and permissions.
* Update to pass back and forth handle class
* Allow Users to be disabled/enabled
* rebrand to locked for api
* Update BTCPayServer/Views/UIAccount/Lockout.cshtml
Co-authored-by: d11n <mail@dennisreimann.de>
* fix docker compose and an uneeded check in api handler
* fix
* Add enabled user test
Co-authored-by: d11n <mail@dennisreimann.de>
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
* Set store context in cookie
* Fix page id usages in view
* Move Pay Button to nav
* Move integrations to plugins nav
* Store switch links to wallet if present
* Test fixes
* Nav fixes
* Fix altcoin view
* Main nav updates
* Wallet setttings nav update
* Move storeId cookie fallback to cookie auth handler
* View fixes
* Test fixes
* Fix profile check
* Rename integrations nav extension point to store-integrations-nav-list
* Allow strings for Active page/category for plugins
* Make invoice list filter based on store context
* Do not set context if we are running authorizer through tag helper
* Fix test and unfiltered invoices
* Add permission helper for wallet links
* Add sanity checks for payment requests and invoices
* Store context in home controller
* Fix PayjoinViaUI test
* Store context for notifications
* Minor UI improvements
* Store context for userstores and vault controller
* Bring back integrations page
* Rename notifications nav pages file
* Fix user stores controller policies
* Controller policy fixes from code review
* CookieAuthHandler: Simplify CanViewInvoices case
* Revert "Controller policy fixes from code review"
This reverts commit 97e8b8379c2f2f373bac15a96632d2c8913ef4bd.
* Simplify LayoutSimple
* Fix CanViewInvoices condition
Co-authored-by: Kukks <evilkukka@gmail.com>
* Mention the missing API permission in the response header or body
* Fixes + Added a unit test. 1 TODO remains.
* Added MissingPermissionDescription to the error
* Update BTCPayServer.Tests/GreenfieldAPITests.cs
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
* Fix tests
* [GreenField]: Make sure we are sending fully typed errors
Co-authored-by: Nicolas Dorier <nicolas.dorier@gmail.com>
* Update layout structure and header
* Implement store selector
* Simplify homepage
* Update layout
* Use dropdown for store selector
* Hide global nav in store context
* Horizontal section nav
* Remove outer section and container from content views
* Update nav
* Set store context for invoice and payment request lists
* Test fixes
* Persist menu collapse state on client-side
* MainNav as view component
* Update app routes to incorporate store context
* Test fixes
* Display ticker for altcoins build only
* Plugins nav
* Incorporate category for active page as well
* Update invoice icon
* Add apps list to nav
* Add store context to app type controllers
* Incorporate id for active page as well
* Test fixes
* AppsController cleanup
* Nav: Display only apps for the current store
* Remove leftover from merge
* Nav styles optimization
* Left-align content container
* Increase sidebar padding on desktop
* Use min-width for store selector menu
* Store settings nav update
* Update app and payment request routes
* Test fixes
* Refactor MainNav component to use StoresController
* Set store context for invoice actions
* Cleanups
* Remove CurrentStore checks
The response will be "Access denied" in case the CookieAuthorizationHandler cannot resolve the store.
* Remove unnecessary store context setters
* Test fix
* wip
* Local GreenField Client for Plugins
* support notification handlers being missing
* Initial support for scoped btcpay client
* test out scoped local client
* wip
* small fix
* Throw exception if using local greenfield client and it has not been implemented yet
* adapt based on new changes in BTCPay
* update
* fix tests
* Allow Local client to bypass authorization handler
* Add Misc endpoints to Local API Client
* Add new endpoints
* Apply code review changes
* Migrate existing U2F to Fido2
This seamlessly switches all u2f registrations over to the new FIDO2 support. Please note that I have not yet added a way to drop the u2f DB and its UI so that we can test the migration works properly for all.
* add testing logic
* fix u2f tests
* remove duplicate status message
* fix test and namespaces
* fix test
* GreenField: Notifications API
This refactors notifications so that we dont have a bunch of duplicated direct access to db contexts in controllers and then introduces new endpoints to fetch/toggle seen/remove notifications of the current user.
* add tests + docs
* fix test
* pr changes
* fix permission json
This allows plugins to create custom dbcontexts, which would be namespaced in the scheme with a prefix. Migrations are supported too and the table would be prefixed too
* BTCPay Extensions Part 2
This PR cleans up the extension system a bit in that:
* It renames the test extension to a more uniform name
* Allows yo uto have system extensions, which are extensions but bundled by default with the release (and cannot be removed)
* Adds a tool to help you generate an extension package from a csproj
* Refactors the UI extension points to a view component
* Moves some more interfaces to the Abstractions csproj
* Rename to plugins
