fix authentication challenges and response codes

Author: pandinocoder

Intersect.Server/Web/ApiService.cs

@@ -35,8 +35,10 @@
 using Intersect.Server.Web.Controllers;
 using Intersect.Server.Web.Controllers.Api;
 using Intersect.Server.Web.Controllers.AssetManagement;
+using Intersect.Server.Web.Extensions;
 using Intersect.Server.Web.Types.Chat;
 using Microsoft.AspNetCore.Http.Features;
+using Microsoft.Extensions.Primitives;
 using MyCSharp.HttpUserAgentParser.AspNetCore.DependencyInjection;
 using MyCSharp.HttpUserAgentParser.MemoryCache.DependencyInjection;
 
@@ -50,12 +52,6 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
     private WebApplication? _app;
     private static readonly Assembly Assembly = typeof(ApiService).Assembly;
 
-    private static readonly string[] ChallengePaths = [
-        "/api",
-        "/assets",
-        "/avatar",
-    ];
-
     private static string GetOptionsName<TOptions>() => typeof(TOptions).Name.Replace("Options", string.Empty);
 
     // ReSharper disable once MemberCanBeMadeStatic.Local
@@ -76,11 +72,13 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
             return default;
         }
 
-        ApplicationContext.Context.Value?.Logger.LogInformation(
+        ApplicationContext.CurrentContext.Logger.LogInformation(
             "Launching Intersect REST API in '{EnvironmentName}' mode...",
             builder.Environment.EnvironmentName
         );
 
+        builder.Services.AddSingleton(ApplicationContext.GetCurrentContext<IApplicationContext>());
+
         var updateServerSection = builder.Configuration.GetSection(GetOptionsName<UpdateServerOptions>());
         builder.Services.Configure<UpdateServerOptions>(updateServerSection);
 
@@ -173,30 +171,16 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
 
         builder.Services.AddSingleton<IntersectAuthenticationManager>();
 
-        builder.Services.AddAuthentication(BearerCookieFallbackAuthenticationScheme)
+        builder.Services.AddAuthentication(
+                options =>
+                {
+                    options.DefaultScheme = BearerCookieFallbackAuthenticationScheme;
+                }
+            )
             .AddCookie(
                 CookieAuthenticationDefaults.AuthenticationScheme,
                 options =>
                 {
-                    // Commenting this out fixes no redirect
-                    // Uncommenting fixed API consumers with expired tokens
-                    // options.ForwardChallenge = JwtBearerDefaults.AuthenticationScheme;
-
-                    // So the thing that was broken if the above was commented out was the editor (or presumably
-                    // anything that had an expired token) -- I believe the below fixes it
-                    // options.ForwardDefaultSelector = context =>
-                    // {
-                    //     var requestPath = context.Request.Path;
-                    //     foreach (var challengePath in ChallengePaths)
-                    //     {
-                    //         if (requestPath.StartsWithSegments(challengePath))
-                    //         {
-                    //             return JwtBearerDefaults.AuthenticationScheme;
-                    //         }
-                    //     }
-                    //
-                    //     return null;
-                    // };
                     options.Events.OnSignedIn += async (context) => { };
                     options.Events.OnSigningIn += async (context) => { };
                     options.Events.OnSigningOut += async (context) => { };
@@ -221,7 +205,7 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
                             return;
                         }
 
-                        var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<ApiService>>();
+                        var logger = context.GetAPILogger();
                         logger.LogInformation(
                             "Renewing cookie for {UserId}",
                             updatedPrincipal.FindFirstValue(ClaimTypes.NameIdentifier)
@@ -231,6 +215,34 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
                     };
                     options.Events.OnRedirectToLogin += async (context) =>
                     {
+                        if (context.HttpContext.IsPage())
+                        {
+                            context.GetAPILogger().LogTrace(
+                                "{OnRedirectToLogin} called for page (non-API) endpoint: {Route}",
+                                nameof(CookieAuthenticationEvents.OnRedirectToLogin),
+                                context.HttpContext.Request.Path
+                            );
+                            return;
+                        }
+
+                        if (context.HttpContext.IsController())
+                        {
+                            context.GetAPILogger().LogTrace(
+                                "{OnRedirectToLogin} called for controller (API) endpoint: {Route}",
+                                nameof(CookieAuthenticationEvents.OnRedirectToLogin),
+                                context.HttpContext.Request.Path
+                            );
+
+                            context.RedirectUri = string.Empty;
+                            context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
+                            context.Response.Headers.Location = StringValues.Empty;
+                        }
+
+                        context.GetAPILogger().LogWarning(
+                            "{OnRedirectToLogin} called for unclassified endpoint: {Route}",
+                            nameof(CookieAuthenticationEvents.OnRedirectToLogin),
+                            context.HttpContext.Request.Path
+                        );
                     };
                     options.Events.OnRedirectToAccessDenied += async (context) =>
                     {
@@ -256,15 +268,31 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
                     };
                     options.ForwardDefaultSelector += context =>
                     {
-                        var requestPath = context.Request.Path;
-                        foreach (var challengePath in ChallengePaths)
+                        if (context.IsController())
                         {
-                            if (requestPath.StartsWithSegments(challengePath))
-                            {
-                                return null;
-                            }
+                            return null;
+                        }
+
+                        if (context.IsPage())
+                        {
+                            return CookieAuthenticationDefaults.AuthenticationScheme;
                         }
 
+                        if (context.Request.Headers.Authorization.Count > 0)
+                        {
+                            context.GetAPILogger().LogWarning(
+                                "JwtBearer ForwardDefaultSelector invoked for unclassified endpoint, not forwarding because there is an Authorization header: {Route}",
+                                context.Request.Path
+                            );
+
+                            return null;
+                        }
+
+                        context.GetAPILogger().LogWarning(
+                            "JwtBearer ForwardDefaultSelector invoked for unclassified endpoint, falling back to cookie authentication because there is no Authorization header: {Route}",
+                            context.Request.Path
+                        );
+
                         return CookieAuthenticationDefaults.AuthenticationScheme;
                     };
                     builder.Configuration.Bind($"Api.{nameof(JwtBearerOptions)}", options);
@@ -277,13 +305,12 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
                         },
                         OnChallenge = async context =>
                         {
-                            if (context.AuthenticateFailure != null)
+                            if (context.AuthenticateFailure is not null || context.HttpContext.IsController())
                             {
                                 // This was needed to make sure authentication failures didn't return 200
                                 context.Response.StatusCode = (int)HttpStatusCode.Unauthorized;
                                 context.HandleResponse();
                             }
-                            context.HandleResponse();
                         },
                         OnMessageReceived = async context => { },
                         OnTokenValidated = async context =>
@@ -331,7 +358,7 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
 
                             context.Fail("expired_token");
 
-                            // var logger = context.HttpContext.RequestServices.GetRequiredService<ILogger<ApiService>>();
+                            // var logger = context.GetAPILogger();
                             // logger.LogInformation(
                             //     "Changing token for {UserId}",
                             //     updatedPrincipal.FindFirstValue(ClaimTypes.NameIdentifier)
@@ -343,7 +370,8 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
                     SymmetricSecurityKey issuerKey = new(tokenGenerationOptions.SecretData);
                     options.TokenValidationParameters.IssuerSigningKey = issuerKey;
                 }
-            ).AddPolicyScheme(
+            )
+            .AddPolicyScheme(
                 BearerCookieFallbackAuthenticationScheme,
                 "Bearer-to-Cookie Fallback",
                 pso =>
@@ -354,10 +382,23 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
                         {
                             return JwtBearerDefaults.AuthenticationScheme;
                         }
-                        else
+
+                        if (context.IsController())
+                        {
+                            return JwtBearerDefaults.AuthenticationScheme;
+                        }
+
+                        if (context.IsPage())
                         {
                             return CookieAuthenticationDefaults.AuthenticationScheme;
                         }
+
+                        context.GetAPILogger().LogWarning(
+                            "Trying to authenticate with no authorization header on unclassified endpoint, falling back to cookie authentication: {Route}",
+                            context.Request.Path
+                        );
+
+                        return CookieAuthenticationDefaults.AuthenticationScheme;
                     };
                 }
             );
@@ -583,7 +624,6 @@ internal partial class ApiService : ApplicationService<ServerContext, IApiServic
         app.UseResponseCaching();
         app.UseOutputCache();
 
-
         StaticFileOptions staticFileOptions = new()
         {
             HttpsCompression = HttpsCompressionMode.Compress,

Intersect.Server/Web/Extensions/BaseContextExtensions.cs

@@ -0,0 +1,11 @@
+using Microsoft.AspNetCore.Authentication;
+
+namespace Intersect.Server.Web.Extensions;
+
+public static class BaseContextExtensions
+{
+    public static ILogger GetAPILogger<TOptions>(this BaseContext<TOptions> context) where TOptions : AuthenticationSchemeOptions
+    {
+        return context.HttpContext.GetAPILogger();
+    }
+}

Intersect.Server/Web/Extensions/HttpContextExtensions.cs

@@ -0,0 +1,32 @@
+using Microsoft.AspNetCore.Mvc.ApplicationModels;
+using Microsoft.AspNetCore.Mvc.Controllers;
+
+namespace Intersect.Server.Web.Extensions;
+
+public static class HttpContextExtensions
+{
+    public static ILogger GetAPILogger(this HttpContext httpContext)
+    {
+        return httpContext.RequestServices.GetRequiredService<ILogger<ApiService>>();
+    }
+
+    public static bool IsController(this HttpContext httpContext)
+    {
+        if (httpContext.GetEndpoint() is not { } endpoint)
+        {
+            return false;
+        }
+
+        return endpoint.Metadata.GetMetadata<ControllerActionDescriptor>() is not null;
+    }
+
+    public static bool IsPage(this HttpContext httpContext)
+    {
+        if (httpContext.GetEndpoint() is not { } endpoint)
+        {
+            return false;
+        }
+
+        return endpoint.Metadata.GetMetadata<PageRouteMetadata>() is not null;
+    }
+}

Intersect.sln.DotSettings

@@ -1,4 +1,5 @@
 <wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=API/@EntryIndexedValue">API</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=FPS/@EntryIndexedValue">FPS</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=GPU/@EntryIndexedValue">GPU</s:String>
 	<s:String x:Key="/Default/CodeStyle/Naming/CSharpNaming/Abbreviations/=IP/@EntryIndexedValue">IP</s:String>