// Copyright Epic Games, Inc. All Rights Reserved. using System; using System.Collections.Generic; using System.Linq; using System.Net; using System.Security.Claims; using System.Threading.Tasks; using EpicGames.Horde.Accounts; using EpicGames.Horde.Acls; using EpicGames.Horde.Server; using EpicGames.Horde.Users; using HordeServer.Accounts; using HordeServer.Acls; using HordeServer.Authentication; using HordeServer.Users; using HordeServer.Utilities; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authentication.Cookies; using Microsoft.AspNetCore.Authentication.OpenIdConnect; using Microsoft.AspNetCore.Mvc; using Microsoft.Extensions.Options; #pragma warning disable CA1054 // URI-like parameters should not be strings namespace HordeServer.Server { ///

/// Model for Horde account login view ///

public class HordeAccountLoginViewModel { ///

/// Where to post the form ///

public string? FormPostUrl { get; set; } ///

/// Optional error message to display ///

public string? ErrorMessage { get; set; } } ///

/// Model for Horde account state view ///

public class AccountStateViewModel { ///

Whether the current user is authenticated

public bool IsAuthenticated { get; set; } ///

Authenticated user's display name

public string? UserName { get; set; } ///

Whether the user has administrative write permissions

public bool IsAdmin { get; set; } ///

List of security claims associated with the authenticated user

public List Claims { get; set; } = new(); ///

/// Gets or sets the user's ACL permissions grouped by scope. /// Each scope contains a list of permissions showing which actions are authorized. /// Only scopes with at least one permission are displayed in the view. ///

public Dictionary> ScopeToPermissions { get; set; } = new(); } ///

/// Model for Horde account state claim view ///

public class ClaimViewModel { ///

/// Gets or sets the claim type identifier (e.g., "name", "role", "sub"). ///

public string Type { get; set; } = ""; ///

/// Gets or sets the claim value associated with the claim type. ///

public string Value { get; set; } = ""; } ///

/// Controller managing account status ///

[ApiController] [Route("[controller]")] public class AccountController : Controller { ///

/// Style sheet for HTML responses ///

const string StyleSheet = "body { font-family: 'Segoe UI', 'Roboto', arial, sans-serif; } " + "p { margin:20px; font-size:13px; } " + "h1 { margin: 20px; font-size: 32px; font-weight: 200; } " + "h2 { margin: 20px; font-size: 24px; font-weight: 200; } " + "table { margin:10px 20px; } " + "th { margin: 5px; font-size: 13px; vertical-align: top; padding: 3px; text-align: left; }" + "td { margin:5px; font-size:13px; vertical-align: top; padding: 3px; font-family: Consolas, Courier New, monospace; }"; readonly IUserCollection _users; readonly IAccountCollection _hordeAccounts; readonly string _authenticationScheme; readonly IOptionsSnapshot _globalConfig; readonly IOptionsMonitor _settings; ///

/// Constructor ///

public AccountController(IUserCollection users, IAccountCollection hordeAccounts, IOptionsMonitor serverSettings, IOptionsSnapshot globalConfig, IOptionsMonitor settings) { _users = users; _hordeAccounts = hordeAccounts; _authenticationScheme = GetAuthScheme(serverSettings.CurrentValue.AuthMethod); _globalConfig = globalConfig; _settings = settings; } ///

/// Get auth scheme name for a given auth method ///

/// Authentication method /// Name of authentication scheme public static string GetAuthScheme(AuthMethod method) { return method switch { AuthMethod.Anonymous => AnonymousAuthHandler.AuthenticationScheme, AuthMethod.Okta => OktaAuthHandler.AuthenticationScheme, AuthMethod.OpenIdConnect => OpenIdConnectDefaults.AuthenticationScheme, AuthMethod.Horde => CookieAuthenticationDefaults.AuthenticationScheme, _ => throw new ArgumentOutOfRangeException(nameof(method), method, null) }; } ///

/// Displays the current user's authentication status and permissions ///

[HttpGet] [Route("/account")] public ActionResult State() { AccountStateViewModel model = new() { IsAuthenticated = User.Identity?.IsAuthenticated ?? false, UserName = User.Identity?.Name, IsAdmin = _globalConfig.Value.Authorize(AdminAclAction.AdminWrite, User), }; if (model.IsAuthenticated) { model.Claims = User.Claims.Select(claim => new ClaimViewModel { Type = claim.Type, Value = claim.Value }).ToList(); List aclPermissions = UserController.GetUserAclPermissions(_globalConfig.Value, User); model.ScopeToPermissions = aclPermissions .GroupBy(permission => permission.Scope) .ToDictionary(group => group.Key, group => group.ToList()); } return View("~/Server/HordeAccountState.cshtml", model); } ///

/// Logged out page ///

/// HTML [HttpGet] [Route("/account/logged-out")] public ViewResult LoggedOut() { return View("~/Server/HordeAccountLoggedOut.cshtml"); } ///

/// Show login form for username/password login ///

/// HTML for a login form [HttpGet] [Route("/account/login/horde")] public IActionResult UserPassLoginForm(string? returnUrl = null) { if (User.Identity is { IsAuthenticated: true }) { // Redirect if already logged in return Redirect(returnUrl ?? "/"); } return View("~/Server/HordeAccountLogin.cshtml", new HordeAccountLoginViewModel { FormPostUrl = Url.Action("UserPassLogin", "Account", returnUrl != null ? new { returnUrl } : null) }); } ///

/// Perform a login with username/password credentials ///

/// An HTTP redirect if successful [HttpPost] [Route("/account/login/horde")] public async Task UserPassLoginAsync(string? returnUrl = null) { if (_globalConfig.Value.ServerSettings.AuthMethod != AuthMethod.Horde) { return Forbid("Horde built-in authentication is disabled"); } const string ErrorMsg = "Invalid username or password"; string? username = Request.Form["username"]; string password = (string?)Request.Form["password"] ?? String.Empty; bool success = await SignInAsync(username, password); if (!success) { return LoginFormError(ErrorMsg, returnUrl); } return Redirect(returnUrl ?? "/"); } ///

/// Dashboard login ///

/// /// [HttpPost] [Route("/account/login/dashboard")] public async Task UserDashboardLoginAsync([FromBody] DashboardLoginRequest request) { if (_globalConfig.Value.ServerSettings.AuthMethod != AuthMethod.Horde) { return Forbid(); } bool success = await SignInAsync(request.Username, request.Password); if (!success) { return Forbid(); } return Redirect(request.ReturnUrl ?? "/"); } private ViewResult LoginFormError(string message, string? returnUrl = null, HttpStatusCode statusCode = HttpStatusCode.BadRequest) { Response.StatusCode = (int)statusCode; return View("~/Server/HordeAccountLogin.cshtml", new HordeAccountLoginViewModel { FormPostUrl = Url.Action("UserPassLogin", "Account", returnUrl != null ? new { returnUrl } : null), ErrorMessage = message }); } ///

/// Sign into a Horde auth account ///

/// /// /// async Task SignInAsync(string? login, string? password) { if (String.IsNullOrEmpty(login)) { return false; } IAccount? account = await _hordeAccounts.FindByLoginAsync(login); if (account is not { Enabled: true }) { return false; } if (!String.IsNullOrEmpty(account.PasswordHash)) { byte[] correctHash = PasswordHasher.HashFromString(account.PasswordHash); byte[] salt = PasswordHasher.SaltFromString(account.PasswordSalt); if (!PasswordHasher.ValidatePassword(password ?? "", salt, correctHash)) { return false; } } IUser user = await _users.FindOrAddUserByLoginAsync(account.Login, account.Name, account.Email); List claims = new() { new Claim(HordeClaimTypes.Version, HordeClaimTypes.CurrentVersion), new Claim(HordeClaimTypes.AccountId, account.Id.ToString()), new Claim(ClaimTypes.Name, account.Name), new Claim(HordeClaimTypes.User, account.Login), new Claim(HordeClaimTypes.UserId, user.Id.ToString()), }; if (!String.IsNullOrEmpty(account.Email)) { claims.Add(new Claim(ClaimTypes.Email, account.Email)); } if (!String.IsNullOrEmpty(_settings.CurrentValue.AdminClaimType) && !String.IsNullOrEmpty(_settings.CurrentValue.AdminClaimValue) && account.HasClaim(_settings.CurrentValue.AdminClaimType, _settings.CurrentValue.AdminClaimValue)) { claims.Add(HordeClaims.AdminClaim.ToClaim()); } foreach (IUserClaim claim in account.Claims) { claims.Add(new Claim(claim.Type, claim.Value)); } ClaimsIdentity claimsIdentity = new(claims, CookieAuthenticationDefaults.AuthenticationScheme); AuthenticationProperties authProperties = new() { IsPersistent = true, ExpiresUtc = DateTimeOffset.UtcNow.AddDays(7) }; await HttpContext.SignInAsync( CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(claimsIdentity), authProperties); return true; } ///

/// Login to the server ///

/// Http result [HttpGet] [Route("/account/login")] public IActionResult Login() { return new ChallengeResult(_authenticationScheme, new AuthenticationProperties { RedirectUri = "/account" }); } ///

/// Logout of the current account ///

/// Http result [HttpGet] [Route("/account/logout")] public async Task LogoutAsync() { await HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme); try { await HttpContext.SignOutAsync(_authenticationScheme); } catch { } string content = $"

User has been logged out. Returning to login page.

"; return new ContentResult { ContentType = "text/html", StatusCode = (int)HttpStatusCode.OK, Content = content }; } ///

/// Gets information about the current account ///

[HttpGet] [Route("/account/entitlements")] [ProducesResponseType(typeof(GetAccountEntitlementsResponse), 200)] public ActionResult