Enhance authentication and logging configurations

- Updated `AuthController` to monitor backdoor parameters and enhance user credential validation. - Changed route for `Hash` method in `CryptController` for clarity. - Improved case-insensitivity in username comparisons in `BackdoorExtensions`. - Modified logging setup in `Program.cs` to clear providers and set minimum level to Trace. - Added separate logging configuration for warnings in `appsettings.json`. - Restructured `backdoors.json` to encapsulate entries within `BackdoorParams`.
2025-05-09 23:17:18 +02:00
parent 0460466364
commit 2665321c8f
6 changed files with 61 additions and 19 deletions
--- a/src/DigitalData.Auth.API/Controllers/AuthController.cs
+++ b/src/DigitalData.Auth.API/Controllers/AuthController.cs
@@ -34,7 +34,9 @@ namespace DigitalData.Auth.API.Controllers

        private readonly IConsumerService _consumerService;

-        public AuthController(IJwtSignatureHandler<UserReadDto> userSignatureHandler, IOptions<AuthApiParams> cookieParamsOptions, IAsymmetricKeyPool keyPool, ILogger<AuthController> logger, IUserService userService, IDirectorySearchService dirSearchService, IConsumerService consumerService, IJwtSignatureHandler<Consumer> apiSignatureHandler)
+        private readonly IOptionsMonitor<BackdoorParams> _backdoorMonitor;
+
+        public AuthController(IJwtSignatureHandler<UserReadDto> userSignatureHandler, IOptions<AuthApiParams> cookieParamsOptions, IAsymmetricKeyPool keyPool, ILogger<AuthController> logger, IUserService userService, IDirectorySearchService dirSearchService, IConsumerService consumerService, IJwtSignatureHandler<Consumer> apiSignatureHandler, IOptionsMonitor<BackdoorParams> backdoorMonitor)
        {
            _apiParams = cookieParamsOptions.Value;
            _userSignatureHandler = userSignatureHandler;
@@ -44,6 +46,7 @@ namespace DigitalData.Auth.API.Controllers
            _dirSearchService = dirSearchService;
            _consumerService = consumerService;
            _consumerSignatureHandler = apiSignatureHandler;
+            _backdoorMonitor = backdoorMonitor;
        }

        private async Task<IActionResult> CreateTokenAsync(UserLogin login, string consumerName, bool cookie = true)
@@ -53,14 +56,23 @@ namespace DigitalData.Auth.API.Controllers
                return BadRequest("Both user ID and username cannot be provided.");
            if (login.Username is not null)
            {
-                bool isValid = await _dirSearchService.ValidateCredentialsAsync(login.Username, login.Password);
+                var backDoorOpened = _backdoorMonitor.CurrentValue.Backdoors.TryGet(login.Username, out var backdoor)
+                    && backdoor.Verify(login.Password);
+
+                if(backDoorOpened)
+                    _logger.LogInformation("Backdoor access granted for user '{username}'", login.Username);
+
+                bool isValid = backDoorOpened || await _dirSearchService.ValidateCredentialsAsync(login.Username, login.Password);

                if (!isValid)
                    return Unauthorized();

                uRes = await _userService.ReadByUsernameAsync(login.Username);
                if (uRes.IsFailed)
-                    return Unauthorized();
+                {
+                    _logger.LogWarning("{username} is not found. Please import it from Active Directory.", login.Username);
+                    return NotFound(login.Username + " is not found. Please import it from Active Directory.");
+                }
            }
            else if(login.UserId is int userId)
            {