aljaz/btcpayserver
1
0
Fork 0
mirror of https://github.com/aljazceru/btcpayserver.git synced 2025-12-17 05:54:26 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
btcpayserver/BTCPayServer/Services/UserService.cs
Nicolas Dorier c9dcd4f0a4 Fix: Spurious EF error on CallbackGenerator
2025-11-14 22:48:18 +09:00

310 lines
13 KiB
C#
Raw Permalink Blame History

#nullable enable
using System;
using System.Collections.Generic;
using System.Diagnostics.CodeAnalysis;
using System.Linq;
using System.Threading.Tasks;
using BTCPayServer.Abstractions;
using BTCPayServer.Abstractions.Extensions;
using BTCPayServer.Client.Models;
using BTCPayServer.Data;
using BTCPayServer.Events;
using BTCPayServer.Storage.Services;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Mvc.Localization;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Localization;
using Microsoft.Extensions.Logging;
namespace BTCPayServer.Services
{
public class UserService
{
private readonly IServiceProvider _serviceProvider;
private readonly StoredFileRepository _storedFileRepository;
private readonly FileService _fileService;
private readonly EventAggregator _eventAggregator;
private readonly ApplicationDbContextFactory _applicationDbContextFactory;
private readonly BTCPayServerSecurityStampValidator.DisabledUsers _disabledUsers;
private readonly IEnumerable<LoginExtension> _loginExtensions;
private readonly ILogger<UserService> _logger;
public UserService(
IServiceProvider serviceProvider,
StoredFileRepository storedFileRepository,
FileService fileService,
EventAggregator eventAggregator,
ApplicationDbContextFactory applicationDbContextFactory,
BTCPayServerSecurityStampValidator.DisabledUsers disabledUsers,
IEnumerable<LoginExtension> loginExtensions,
ILogger<UserService> logger)
{
_serviceProvider = serviceProvider;
_storedFileRepository = storedFileRepository;
_fileService = fileService;
_eventAggregator = eventAggregator;
_applicationDbContextFactory = applicationDbContextFactory;
_disabledUsers = disabledUsers;
_loginExtensions = loginExtensions;
_logger = logger;
}
public record ApplicationUserWithRoles(ApplicationUser User, string[] Roles);
public async Task<List<ApplicationUserWithRoles>> GetUsersWithRoles()
{
await using var context = _applicationDbContextFactory.CreateContext();
var res = await context.Users.Select(p =>
new
{
User = p,
Roles = p.UserRoles.Join(context.Roles, userRole => userRole.RoleId,
role => role.Id, (userRole, role) => role.Name).ToArray()
})
.ToListAsync();
return res.Select(p => new ApplicationUserWithRoles(p.User, (p.Roles ?? [])!)).ToList();
}
public static async Task<T> ForAPI<T>(
ApplicationUser data,
string?[] roles,
CallbackGenerator callbackGenerator,
UriResolver uriResolver,
HttpRequest request) where T : ApplicationUserData, new()
{
var blob = data.GetBlob() ?? new UserBlob();
return new T
{
Id = data.Id,
Email = data.Email,
EmailConfirmed = data.EmailConfirmed,
RequiresEmailConfirmation = data.RequiresEmailConfirmation,
Approved = data.Approved,
RequiresApproval = data.RequiresApproval,
Created = data.Created,
Name = blob.Name,
Roles = roles,
Disabled = data.IsDisabled,
ImageUrl = string.IsNullOrEmpty(blob.ImageUrl)
? null
: await uriResolver.Resolve(request.GetAbsoluteRootUri(), UnresolvedUri.Create(blob.ImageUrl)),
InvitationUrl = string.IsNullOrEmpty(blob.InvitationToken) ? null
: callbackGenerator.ForInvitation(data.Id, blob.InvitationToken)
};
}
public class LoginFailure
{
public LoginFailure(LocalizedString text)
{
ArgumentNullException.ThrowIfNull(text);
Text = text;
}
public LoginFailure(LocalizedString text, LocalizedHtmlString html) : this(text)
{
Html = html;
}
public LocalizedString Text { get; }
public LocalizedHtmlString? Html { get; }
public override string ToString() => Html?.ToString() ?? Text?.ToString() ?? "";
}
public abstract class LoginExtension
{
public abstract Task Check(CanLoginContext context);
}
public class CanLoginContext(
ApplicationUser? user,
IStringLocalizer? stringLocalizer = null,
IViewLocalizer? viewLocalizer = null,
RequestBaseUrl? baseUrl = null)
{
public CanLoginContext Clone(ApplicationUser? user) => new(user, stringLocalizer, viewLocalizer, BaseUrl);
public IStringLocalizer StringLocalizer { get; } = stringLocalizer ?? NullStringLocalizer.Instance;
public IViewLocalizer ViewLocalizer { get; } = viewLocalizer ?? NullViewLocalizer.Instance;
public RequestBaseUrl? BaseUrl { get; } = baseUrl;
internal readonly ApplicationUser? _user = user;
public ApplicationUser User => _user ?? throw new InvalidOperationException("User is not set");
public List<LoginFailure> Failures { get; } = new();
}
public async Task<bool> CanLogin(CanLoginContext context)
{
if (context._user is null)
{
context.Failures.Add(new LoginFailure(context.StringLocalizer["User not found or invalid password"]));
return false;
}
foreach (var loginExtension in _loginExtensions)
{
await loginExtension.Check(context);
}
return !context.Failures.Any();
}
public class DefaultLoginExtension : LoginExtension
{
public override Task Check(CanLoginContext context)
{
if (context.User is { EmailConfirmed: false, RequiresEmailConfirmation: true })
context.Failures.Add(new(context.StringLocalizer["You must have a confirmed email to log in."]));
if (context.User is { Approved: false, RequiresApproval: true })
context.Failures.Add(new(context.StringLocalizer["Your user account requires approval by an admin before you can log in."]));
if (context.User is { IsDisabled: true })
context.Failures.Add(new(context.StringLocalizer["Your user account is currently disabled."]));
return Task.CompletedTask;
}
}
public async Task<bool> SetUserApproval(string userId, bool approved, string loginLink)
{
using var scope = _serviceProvider.CreateScope();
var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
var user = await userManager.FindByIdAsync(userId);
if (user is null || !user.RequiresApproval || user.Approved == approved)
{
return false;
}
user.Approved = approved;
var succeeded = await userManager.UpdateAsync(user) is { Succeeded: true };
if (succeeded)
{
_logger.LogInformation("User {Email} is now {Status}", user.Email, approved ? "approved" : "unapproved");
_eventAggregator.Publish(new UserEvent.Approved(user, loginLink));
}
else
{
_logger.LogError("Failed to {Action} user {Email}", approved ? "approve" : "unapprove", user.Email);
}
return succeeded;
}
public async Task<bool> SetDisabled(string userId, bool disabled)
{
using var scope = _serviceProvider.CreateScope();
var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
var user = await userManager.FindByIdAsync(userId);
if (user is null || disabled == user.IsDisabled)
return true;
if (!user.LockoutEnabled)
await userManager.SetLockoutEnabledAsync(user, true);
var lockedOutDeadline = disabled ? DateTimeOffset.MaxValue : (DateTimeOffset?)null;
var res = await userManager.SetLockoutEndDateAsync(user, lockedOutDeadline);
// Without this, the user won't be logged out automatically when his authentication ticket expires
if (disabled)
{
await userManager.UpdateSecurityStampAsync(user);
_disabledUsers.Add(userId);
}
else
{
_disabledUsers.Remove(userId);
}
if (res.Succeeded)
{
_logger.LogInformation("User {Email} is now {Status}", user.Email, (lockedOutDeadline is null ? "unlocked" : "locked"));
}
else
{
_logger.LogError("Failed to set lockout for user {Email}", user.Email);
}
return res.Succeeded;
}
[Obsolete("Use SetDisabled instead")]
public async Task<bool?> ToggleUser(string userId, DateTimeOffset? lockedOutDeadline)
=> await SetDisabled(userId, lockedOutDeadline is not null);
public async Task<bool> IsAdminUser(ApplicationUser user)
{
using var scope = _serviceProvider.CreateScope();
var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
return Roles.HasServerAdmin(await userManager.GetRolesAsync(user));
}
public async Task<bool> SetAdminUser(string userId, bool enableAdmin)
{
using var scope = _serviceProvider.CreateScope();
var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
var user = await userManager.FindByIdAsync(userId);
if (user is null)
return false;
IdentityResult res;
if (enableAdmin)
{
res = await userManager.AddToRoleAsync(user, Roles.ServerAdmin);
}
else
{
res = await userManager.RemoveFromRoleAsync(user, Roles.ServerAdmin);
}
if (res.Succeeded)
{
_logger.LogInformation("Successfully set admin status for user {Email}", user.Email);
}
else
{
_logger.LogError("Error setting admin status for user {Email}", user.Email);
}
return res.Succeeded;
}
public async Task DeleteUserAndAssociatedData(ApplicationUser user)
{
using var scope = _serviceProvider.CreateScope();
var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
var userId = user.Id;
var files = await _storedFileRepository.GetFiles(new StoredFileRepository.FilesQuery()
{
UserIds = new[] { userId },
});
await Task.WhenAll(files.Select(file => _fileService.RemoveFile(file.Id, userId)));
user = (await userManager.FindByIdAsync(userId))!;
if (user is null)
return;
var res = await userManager.DeleteAsync(user);
if (res.Succeeded)
{
_logger.LogInformation("User {Email} was successfully deleted", user.Email);
}
else
{
_logger.LogError("Failed to delete user {Email}", user.Email);
}
}
public async Task<bool> IsUserTheOnlyOneAdmin(CanLoginContext canLoginContext)
{
using var scope = _serviceProvider.CreateScope();
var userManager = scope.ServiceProvider.GetRequiredService<UserManager<ApplicationUser>>();
var roles = await userManager.GetRolesAsync(canLoginContext.User);
if (!Roles.HasServerAdmin(roles))
{
return false;
}
var adminUsers = await userManager.GetUsersInRoleAsync(Roles.ServerAdmin);
var enabledAdminUsers = new List<string>();
foreach (var admin in adminUsers)
{
var loginContext = canLoginContext.Clone(admin);
if (await CanLogin(loginContext))
enabledAdminUsers.Add(admin.Id);
}
return enabledAdminUsers.Count == 1 && enabledAdminUsers.Contains(canLoginContext.User.Id);
}
}
}
Reference in New Issue View Git Blame Copy Permalink