Add POST /auth/login for Windows credential auth

Introduced a new endpoint to AuthController that allows authentication using Windows username, password, and optional domain via the Win32 LogonUser API. This enables credential validation without NTLM/Negotiate middleware or IIS. The endpoint parses both "DOMAIN\user" and "user@domain" formats and returns user info and claims on success, or Unauthorized on failure. Added necessary using directives for implementation.
2026-03-13 10:36:54 +01:00
parent ee9f4abc95
commit 5b37dbf854
1 changed files with 50 additions and 2 deletions
--- a/Controllers/AuthController.cs
+++ b/Controllers/AuthController.cs
@@ -1,5 +1,8 @@
-using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
+using System.Security.Principal;
+using FakeNTLMServer.Model;
+using FakeNTLMServer.Common;

 namespace FakeNTLMServer.Controllers;

@@ -23,7 +26,7 @@ public class AuthController : ControllerBase

    /// <summary>
    /// NTLM/Negotiate login endpoint.
-    /// Triggers the NTLM handshake (401 → challenge → response) and returns authenticated user info.
+    /// Triggers the NTLM handshake and returns authenticated user info.
    /// </summary>
    [Authorize]
    [HttpGet("login")]
@@ -44,6 +47,51 @@ public class AuthController : ControllerBase
        });
    }

+    /// <summary>
+    /// Validates Windows credentials (username/password) using the Win32 LogonUser API.
+    /// Works on local Kestrel without IIS or Negotiate middleware.
+    /// </summary>
+    [AllowAnonymous]
+    [HttpPost("login")]
+    public IActionResult LoginWithCredentials([FromBody] Login request)
+    {
+        var username = request.Username;
+        var domain = request.Domain ?? ".";
+
+        if (username.Contains('\\'))
+        {
+            var parts = username.Split('\\', 2);
+            domain = parts[0];
+            username = parts[1];
+        }
+        else if (username.Contains('@'))
+        {
+            var parts = username.Split('@', 2);
+            username = parts[0];
+            domain = parts[1];
+        }
+
+        if (!NtlmHelper.ValidateCredentials(username, domain, request.Password, out var token))
+        {
+            return Unauthorized(new { Message = "Invalid username or password." });
+        }
+
+        using (token)
+        {
+            var windowsIdentity = new WindowsIdentity(token.DangerousGetHandle());
+            var claims = windowsIdentity.Claims.Select(c => new { c.Type, c.Value }).ToList();
+
+            return Ok(new
+            {
+                Message = "Authentication successful.",
+                Name = windowsIdentity.Name,
+                AuthenticationType = windowsIdentity.AuthenticationType,
+                IsAuthenticated = windowsIdentity.IsAuthenticated,
+                Claims = claims
+            });
+        }
+    }
+
    [Authorize]
    [HttpGet("status")]
    public IActionResult Status()