mirror of
https://github.com/aljazceru/btcpayserver.git
synced 2025-12-18 06:24:24 +01:00
197 lines
7.2 KiB
C#
197 lines
7.2 KiB
C#
using System;
|
|
using Microsoft.Extensions.Logging;
|
|
using Microsoft.AspNetCore.Mvc;
|
|
using Microsoft.AspNetCore.Mvc.Routing;
|
|
using Microsoft.AspNetCore.Http.Extensions;
|
|
using System.Collections.Generic;
|
|
using System.IO;
|
|
using System.Linq;
|
|
using System.Security.Claims;
|
|
using System.Text;
|
|
using System.Threading.Tasks;
|
|
using BTCPayServer.Authentication;
|
|
using BTCPayServer.Models;
|
|
using BTCPayServer.Services;
|
|
using BTCPayServer.Services.Stores;
|
|
using Microsoft.AspNetCore.Http;
|
|
using Microsoft.AspNetCore.Identity;
|
|
using Microsoft.AspNetCore.Mvc.Filters;
|
|
using Microsoft.AspNetCore.Mvc.Infrastructure;
|
|
using Microsoft.Extensions.Options;
|
|
using NBitcoin;
|
|
using NBitcoin.DataEncoders;
|
|
using NBitpayClient;
|
|
using NBitpayClient.Extensions;
|
|
using Newtonsoft.Json.Linq;
|
|
using BTCPayServer.Logging;
|
|
using Microsoft.AspNetCore.Http.Internal;
|
|
|
|
namespace BTCPayServer.Security
|
|
{
|
|
public class BitpayClaimsFilter : IAsyncAuthorizationFilter, IConfigureOptions<MvcOptions>
|
|
{
|
|
UserManager<ApplicationUser> _UserManager;
|
|
StoreRepository _StoreRepository;
|
|
TokenRepository _TokenRepository;
|
|
|
|
public BitpayClaimsFilter(
|
|
UserManager<ApplicationUser> userManager,
|
|
TokenRepository tokenRepository,
|
|
StoreRepository storeRepository)
|
|
{
|
|
_UserManager = userManager;
|
|
_StoreRepository = storeRepository;
|
|
_TokenRepository = tokenRepository;
|
|
}
|
|
|
|
void IConfigureOptions<MvcOptions>.Configure(MvcOptions options)
|
|
{
|
|
options.Filters.Add(typeof(BitpayClaimsFilter));
|
|
}
|
|
|
|
public async Task OnAuthorizationAsync(AuthorizationFilterContext context)
|
|
{
|
|
var principal = context.HttpContext.User;
|
|
if (context.HttpContext.GetIsBitpayAPI())
|
|
{
|
|
var bitpayAuth = context.HttpContext.GetBitpayAuth();
|
|
string storeId = null;
|
|
var failedAuth = false;
|
|
if (!string.IsNullOrEmpty(bitpayAuth.Signature) && !string.IsNullOrEmpty(bitpayAuth.Id))
|
|
{
|
|
storeId = await CheckBitId(context.HttpContext, bitpayAuth.Signature, bitpayAuth.Id);
|
|
if (!context.HttpContext.User.Claims.Any(c => c.Type == Claims.SIN))
|
|
{
|
|
Logs.PayServer.LogDebug("BitId signature check failed");
|
|
failedAuth = true;
|
|
}
|
|
}
|
|
else if (!string.IsNullOrEmpty(bitpayAuth.Authorization))
|
|
{
|
|
storeId = await CheckLegacyAPIKey(context.HttpContext, bitpayAuth.Authorization);
|
|
if (storeId == null)
|
|
{
|
|
Logs.PayServer.LogDebug("API key check failed");
|
|
failedAuth = true;
|
|
}
|
|
}
|
|
|
|
if (storeId != null)
|
|
{
|
|
var identity = ((ClaimsIdentity)context.HttpContext.User.Identity);
|
|
identity.AddClaim(new Claim(Policies.CanUseStore.Key, storeId));
|
|
var store = await _StoreRepository.FindStore(storeId);
|
|
context.HttpContext.SetStoreData(store);
|
|
}
|
|
else if (failedAuth)
|
|
{
|
|
throw new BitpayHttpException(401, "Invalid credentials");
|
|
}
|
|
}
|
|
}
|
|
|
|
private async Task<string> CheckBitId(HttpContext httpContext, string sig, string id)
|
|
{
|
|
httpContext.Request.EnableRewind();
|
|
|
|
string storeId = null;
|
|
string body = string.Empty;
|
|
if (httpContext.Request.ContentLength != 0 && httpContext.Request.Body != null)
|
|
{
|
|
using (StreamReader reader = new StreamReader(httpContext.Request.Body, Encoding.UTF8, true, 1024, true))
|
|
{
|
|
body = reader.ReadToEnd();
|
|
}
|
|
httpContext.Request.Body.Position = 0;
|
|
}
|
|
|
|
var url = httpContext.Request.GetEncodedUrl();
|
|
try
|
|
{
|
|
var key = new PubKey(id);
|
|
if (BitIdExtensions.CheckBitIDSignature(key, sig, url, body))
|
|
{
|
|
var sin = key.GetBitIDSIN();
|
|
var identity = ((ClaimsIdentity)httpContext.User.Identity);
|
|
identity.AddClaim(new Claim(Claims.SIN, sin));
|
|
|
|
string token = null;
|
|
if (httpContext.Request.Query.TryGetValue("token", out var tokenValues))
|
|
{
|
|
token = tokenValues[0];
|
|
}
|
|
|
|
if (token == null && !String.IsNullOrEmpty(body) && httpContext.Request.Method == "POST")
|
|
{
|
|
try
|
|
{
|
|
token = JObject.Parse(body)?.Property("token")?.Value?.Value<string>();
|
|
}
|
|
catch { }
|
|
}
|
|
|
|
if (token != null)
|
|
{
|
|
var bitToken = await GetTokenPermissionAsync(sin, token);
|
|
if (bitToken == null)
|
|
{
|
|
return null;
|
|
}
|
|
storeId = bitToken.StoreId;
|
|
}
|
|
}
|
|
}
|
|
catch (FormatException) { }
|
|
return storeId;
|
|
}
|
|
|
|
private async Task<string> CheckLegacyAPIKey(HttpContext httpContext, string auth)
|
|
{
|
|
var splitted = auth.Split(' ', StringSplitOptions.RemoveEmptyEntries);
|
|
if (splitted.Length != 2 || !splitted[0].Equals("Basic", StringComparison.OrdinalIgnoreCase))
|
|
{
|
|
return null;
|
|
}
|
|
|
|
string apiKey = null;
|
|
try
|
|
{
|
|
apiKey = Encoders.ASCII.EncodeData(Encoders.Base64.DecodeData(splitted[1]));
|
|
}
|
|
catch
|
|
{
|
|
return null;
|
|
}
|
|
return await _TokenRepository.GetStoreIdFromAPIKey(apiKey);
|
|
}
|
|
|
|
private async Task<BitTokenEntity> GetTokenPermissionAsync(string sin, string expectedToken)
|
|
{
|
|
var actualTokens = (await _TokenRepository.GetTokens(sin)).ToArray();
|
|
actualTokens = actualTokens.SelectMany(t => GetCompatibleTokens(t)).ToArray();
|
|
|
|
var actualToken = actualTokens.FirstOrDefault(a => a.Value.Equals(expectedToken, StringComparison.Ordinal));
|
|
if (expectedToken == null || actualToken == null)
|
|
{
|
|
Logs.PayServer.LogDebug($"No token found for facade {Facade.Merchant} for SIN {sin}");
|
|
return null;
|
|
}
|
|
return actualToken;
|
|
}
|
|
|
|
private IEnumerable<BitTokenEntity> GetCompatibleTokens(BitTokenEntity token)
|
|
{
|
|
if (token.Facade == Facade.Merchant.ToString())
|
|
{
|
|
yield return token.Clone(Facade.User);
|
|
yield return token.Clone(Facade.PointOfSale);
|
|
}
|
|
if (token.Facade == Facade.PointOfSale.ToString())
|
|
{
|
|
yield return token.Clone(Facade.User);
|
|
}
|
|
yield return token;
|
|
}
|
|
}
|
|
}
|