Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs

using System;
using System.Diagnostics.CodeAnalysis;
using System.Globalization;
using System.Threading.Tasks;
using Jellyfin.Database.Implementations.Entities;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Model.Cryptography;
using Microsoft.Extensions.Logging;

namespace Jellyfin.Server.Implementations.Users
{
    /// <summary>
    /// The default authentication provider.
    /// </summary>
    public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
    {
        private readonly ILogger<DefaultAuthenticationProvider> _logger;
        private readonly ICryptoProvider _cryptographyProvider;

        /// <summary>
        /// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class.
        /// </summary>
        /// <param name="logger">The logger.</param>
        /// <param name="cryptographyProvider">The cryptography provider.</param>
        public DefaultAuthenticationProvider(ILogger<DefaultAuthenticationProvider> logger, ICryptoProvider cryptographyProvider)
        {
            _logger = logger;
            _cryptographyProvider = cryptographyProvider;
        }

        /// <inheritdoc />
        public string Name => "Default";

        /// <inheritdoc />
        public bool IsEnabled => true;

        /// <inheritdoc />
        // This is dumb and an artifact of the backwards way auth providers were designed.
        // This version of authenticate was never meant to be called, but needs to be here for interface compat
        // Only the providers that don't provide local user support use this
        public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
        {
            throw new NotImplementedException();
        }

        /// <inheritdoc />
        // This is the version that we need to use for local users. Because reasons.
        public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User? resolvedUser)
        {
            [DoesNotReturn]
            static void ThrowAuthenticationException()
            {
                throw new AuthenticationException("Invalid username or password");
            }

            if (resolvedUser is null)
            {
                ThrowAuthenticationException();
            }

            // As long as jellyfin supports password-less users, we need this little block here to accommodate
            if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
            {
                return Task.FromResult(new ProviderAuthenticationResult
                {
                    Username = username
                });
            }

            // Handle the case when the stored password is null, but the user tried to login with a password
            if (resolvedUser.Password is null)
            {
                ThrowAuthenticationException();
            }

            PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
            if (!_cryptographyProvider.Verify(readyHash, password))
            {
                ThrowAuthenticationException();
            }

            // Migrate old hashes to the new default
            if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal)
                || int.Parse(readyHash.Parameters["iterations"], CultureInfo.InvariantCulture) != Constants.DefaultIterations)
            {
                _logger.LogInformation("Migrating password hash of {User} to the latest default", username);
                ChangePassword(resolvedUser, password);
            }

            return Task.FromResult(new ProviderAuthenticationResult
            {
                Username = username
            });
        }

        /// <inheritdoc />
        public bool HasPassword(User user)
            => !string.IsNullOrEmpty(user?.Password);

        /// <inheritdoc />
        public Task ChangePassword(User user, string newPassword)
        {
            if (string.IsNullOrEmpty(newPassword))
            {
                user.Password = null;
                return Task.CompletedTask;
            }

            PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
            user.Password = newPasswordHash.ToString();

            return Task.CompletedTask;
        }
    }
}
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`using System;`
Reduce log spam on failed logins Failed logins already get logged higher up the call chain 2023-08-21 19:09:32 +02:00			`using System.Diagnostics.CodeAnalysis;`
Increase password hash iterations It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818 Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2024-08-30 19:26:48 +02:00			`using System.Globalization;`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`using System.Threading.Tasks;`
Fixed namespaces 2025-03-25 16:45:00 +01:00			`using Jellyfin.Database.Implementations.Entities;`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`using MediaBrowser.Controller.Authentication;`
			`using MediaBrowser.Model.Cryptography;`
Increase password hash iterations It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818 Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2024-08-30 19:26:48 +02:00			`using Microsoft.Extensions.Logging;`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00
Migrate User DB to EF Core 2020-05-15 17:24:01 -04:00			`namespace Jellyfin.Server.Implementations.Users`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`{`
Fix more warnings 2019-11-01 18:38:54 +01:00			`/// <summary>`
			`/// The default authentication provider.`
			`/// </summary>`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser`
			`{`
Increase password hash iterations It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818 Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2024-08-30 19:26:48 +02:00			`private readonly ILogger<DefaultAuthenticationProvider> _logger;`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`private readonly ICryptoProvider _cryptographyProvider;`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00
Fix more warnings 2019-11-01 18:38:54 +01:00			`/// <summary>`
			`/// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class.`
			`/// </summary>`
Increase password hash iterations It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818 Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2024-08-30 19:26:48 +02:00			`/// <param name="logger">The logger.</param>`
Fix more warnings 2019-11-01 18:38:54 +01:00			`/// <param name="cryptographyProvider">The cryptography provider.</param>`
Increase password hash iterations It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818 Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2024-08-30 19:26:48 +02:00			`public DefaultAuthenticationProvider(ILogger<DefaultAuthenticationProvider> logger, ICryptoProvider cryptographyProvider)`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`{`
Increase password hash iterations It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818 Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2024-08-30 19:26:48 +02:00			`_logger = logger;`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`_cryptographyProvider = cryptographyProvider;`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`public string Name => "Default";`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`public bool IsEnabled => true;`
Fix pin bug introduced in 10.3.z. The issue is that the new easyPassword format prepends the hash function. This PR extract the hash from "$SHA1$_hash_". 2019-05-11 19:32:20 -04:00
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
minor style fixes 2019-03-04 23:58:25 -08:00			`// This is dumb and an artifact of the backwards way auth providers were designed.`
			`// This version of authenticate was never meant to be called, but needs to be here for interface compat`
			`// Only the providers that don't provide local user support use this`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`public Task<ProviderAuthenticationResult> Authenticate(string username, string password)`
			`{`
			`throw new NotImplementedException();`
			`}`
Fix pin bug introduced in 10.3.z. The issue is that the new easyPassword format prepends the hash function. This PR extract the hash from "$SHA1$_hash_". 2019-05-11 19:32:20 -04:00
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
Streamline authentication proccess 2019-05-21 19:28:34 +02:00			`// This is the version that we need to use for local users. Because reasons.`
Reduce log spam on failed logins Failed logins already get logged higher up the call chain 2023-08-21 19:09:32 +02:00			`public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User? resolvedUser)`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`{`
Reduce log spam on failed logins Failed logins already get logged higher up the call chain 2023-08-21 19:09:32 +02:00			`[DoesNotReturn]`
			`static void ThrowAuthenticationException()`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`{`
Reduce log spam on failed logins Failed logins already get logged higher up the call chain 2023-08-21 19:09:32 +02:00			`throw new AuthenticationException("Invalid username or password");`
added justaman notes, fixed new bug from emty has removals 2019-02-18 01:26:01 -08:00			`}`

Reduce log spam on failed logins Failed logins already get logged higher up the call chain 2023-08-21 19:09:32 +02:00			`if (resolvedUser is null)`
			`{`
			`ThrowAuthenticationException();`
			`}`
Fix more warnings 2019-11-01 18:38:54 +01:00
More spelling corrections. 2020-11-18 13:46:14 +00:00			`// As long as jellyfin supports password-less users, we need this little block here to accommodate`
Fix a couple bugs 2020-05-23 14:53:24 -04:00			`if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))`
added justaman notes, fixed new bug from emty has removals 2019-02-18 01:26:01 -08:00			`{`
			`return Task.FromResult(new ProviderAuthenticationResult`
			`{`
			`Username = username`
			`});`
			`}`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00
Handle the case when the stored password is null, but the user tried to login with a password. 2020-06-11 14:24:50 +01:00			`// Handle the case when the stored password is null, but the user tried to login with a password`
Replace == null with is null 2022-12-05 15:00:20 +01:00			`if (resolvedUser.Password is null)`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`{`
Reduce log spam on failed logins Failed logins already get logged higher up the call chain 2023-08-21 19:09:32 +02:00			`ThrowAuthenticationException();`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`}`

Replace PBKDF2-SHA1 with PBKDF2-SHA512 This also migrates already created passwords on login Source for the number of iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2021-11-10 22:34:54 +01:00			`PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);`
Reduce log spam on failed logins Failed logins already get logged higher up the call chain 2023-08-21 19:09:32 +02:00			`if (!_cryptographyProvider.Verify(readyHash, password))`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`{`
Reduce log spam on failed logins Failed logins already get logged higher up the call chain 2023-08-21 19:09:32 +02:00			`ThrowAuthenticationException();`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`}`

Replace PBKDF2-SHA1 with PBKDF2-SHA512 This also migrates already created passwords on login Source for the number of iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2021-11-10 22:34:54 +01:00			`// Migrate old hashes to the new default`
Increase password hash iterations It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818 Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2024-08-30 19:26:48 +02:00			`if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal)`
			`\|\| int.Parse(readyHash.Parameters["iterations"], CultureInfo.InvariantCulture) != Constants.DefaultIterations)`
Replace PBKDF2-SHA1 with PBKDF2-SHA512 This also migrates already created passwords on login Source for the number of iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2021-11-10 22:34:54 +01:00			`{`
Increase password hash iterations It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818 Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2024-08-30 19:26:48 +02:00			`_logger.LogInformation("Migrating password hash of {User} to the latest default", username);`
Replace PBKDF2-SHA1 with PBKDF2-SHA512 This also migrates already created passwords on login Source for the number of iterations: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2 2021-11-10 22:34:54 +01:00			`ChangePassword(resolvedUser, password);`
			`}`

made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`return Task.FromResult(new ProviderAuthenticationResult`
			`{`
			`Username = username`
			`});`
			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
Remove redundant qualifiers 2020-05-20 13:07:53 -04:00			`public bool HasPassword(User user)`
Reimplement password resetting 2020-05-30 00:19:36 -04:00			`=> !string.IsNullOrEmpty(user?.Password);`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`/// <inheritdoc />`
Remove redundant qualifiers 2020-05-20 13:07:53 -04:00			`public Task ChangePassword(User user, string newPassword)`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00			`{`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`if (string.IsNullOrEmpty(newPassword))`
added justaman notes, fixed new bug from emty has removals 2019-02-18 01:26:01 -08:00			`{`
Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`user.Password = null;`
added justaman notes, fixed new bug from emty has removals 2019-02-18 01:26:01 -08:00			`return Task.CompletedTask;`
			`}`

Remove legacy auth code (#1677) * Remove legacy auth code * Adds tests so we don't break PasswordHash (again) * Clean up interfaces * Remove duplicate code * Use auto properties * static using * Don't use 'this' * Fix build 2019-09-17 18:07:15 +02:00			`PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);`
			`user.Password = newPasswordHash.ToString();`
made newlines into linux newlines 2019-02-20 01:17:30 -08:00
			`return Task.CompletedTask;`
			`}`
			`}`
			`}`