jellyfin/Emby.Server.Implementations/HttpServer/Security/AuthService.cs

#pragma warning disable CS1591

using System;
using System.Linq;
using Emby.Server.Implementations.SocketSharp;
using Jellyfin.Data.Entities;
using Jellyfin.Data.Enums;
using MediaBrowser.Common.Net;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Controller.Configuration;
using MediaBrowser.Controller.Net;
using MediaBrowser.Controller.Security;
using MediaBrowser.Controller.Session;
using MediaBrowser.Model.Services;
using Microsoft.AspNetCore.Http;
using Microsoft.Extensions.Logging;

namespace Emby.Server.Implementations.HttpServer.Security
{
    public class AuthService : IAuthService
    {
        private readonly ILogger<AuthService> _logger;
        private readonly IAuthorizationContext _authorizationContext;
        private readonly ISessionManager _sessionManager;
        private readonly IServerConfigurationManager _config;
        private readonly INetworkManager _networkManager;

        public AuthService(
            ILogger<AuthService> logger,
            IAuthorizationContext authorizationContext,
            IServerConfigurationManager config,
            ISessionManager sessionManager,
            INetworkManager networkManager)
        {
            _logger = logger;
            _authorizationContext = authorizationContext;
            _config = config;
            _sessionManager = sessionManager;
            _networkManager = networkManager;
        }

        public void Authenticate(IRequest request, IAuthenticationAttributes authAttribtues)
        {
            ValidateUser(request, authAttribtues);
        }

        public User Authenticate(HttpRequest request, IAuthenticationAttributes authAttributes)
        {
            var req = new WebSocketSharpRequest(request, null, request.Path);
            var user = ValidateUser(req, authAttributes);
            return user;
        }

        private User ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)
        {
            // This code is executed before the service
            var auth = _authorizationContext.GetAuthorizationInfo(request);

            if (!IsExemptFromAuthenticationToken(authAttribtues, request))
            {
                ValidateSecurityToken(request, auth.Token);
            }

            if (authAttribtues.AllowLocalOnly && !request.IsLocal)
            {
                throw new SecurityException("Operation not found.");
            }

            var user = auth.User;

            if (user == null && auth.UserId != Guid.Empty)
            {
                throw new AuthenticationException("User with Id " + auth.UserId + " not found");
            }

            if (user != null)
            {
                ValidateUserAccess(user, request, authAttribtues, auth);
            }

            var info = GetTokenInfo(request);

            if (!IsExemptFromRoles(auth, authAttribtues, request, info))
            {
                var roles = authAttribtues.GetRoles();

                ValidateRoles(roles, user);
            }

            if (!string.IsNullOrEmpty(auth.DeviceId) &&
                !string.IsNullOrEmpty(auth.Client) &&
                !string.IsNullOrEmpty(auth.Device))
            {
                _sessionManager.LogSessionActivity(
                    auth.Client,
                    auth.Version,
                    auth.DeviceId,
                    auth.Device,
                    request.RemoteIp,
                    user);
            }

            return user;
        }

        private void ValidateUserAccess(
            User user,
            IRequest request,
            IAuthenticationAttributes authAttributes,
            AuthorizationInfo auth)
        {
            if (user.HasPermission(PermissionKind.IsDisabled))
            {
                throw new SecurityException("User account has been disabled.");
            }

            if (!user.HasPermission(PermissionKind.EnableRemoteAccess) && !_networkManager.IsInLocalNetwork(request.RemoteIp))
            {
                throw new SecurityException("User account has been disabled.");
            }

            if (!user.HasPermission(PermissionKind.IsAdministrator)
                && !authAttributes.EscapeParentalControl
                && !user.IsParentalScheduleAllowed())
            {
                request.Response.Headers.Add("X-Application-Error-Code", "ParentalControl");

                throw new SecurityException("This user account is not allowed access at this time.");
            }
        }

        private bool IsExemptFromAuthenticationToken(IAuthenticationAttributes authAttribtues, IRequest request)
        {
            if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
            {
                return true;
            }

            if (authAttribtues.AllowLocal && request.IsLocal)
            {
                return true;
            }

            if (authAttribtues.AllowLocalOnly && request.IsLocal)
            {
                return true;
            }

            return false;
        }

        private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)
        {
            if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)
            {
                return true;
            }

            if (authAttribtues.AllowLocal && request.IsLocal)
            {
                return true;
            }

            if (authAttribtues.AllowLocalOnly && request.IsLocal)
            {
                return true;
            }

            if (string.IsNullOrEmpty(auth.Token))
            {
                return true;
            }

            if (tokenInfo != null && tokenInfo.UserId.Equals(Guid.Empty))
            {
                return true;
            }

            return false;
        }

        private static void ValidateRoles(string[] roles, User user)
        {
            if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.HasPermission(PermissionKind.IsAdministrator))
                {
                    throw new SecurityException("User does not have admin access.");
                }
            }

            if (roles.Contains("delete", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.HasPermission(PermissionKind.EnableContentDeletion))
                {
                    throw new SecurityException("User does not have delete access.");
                }
            }

            if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))
            {
                if (user == null || !user.HasPermission(PermissionKind.EnableContentDownloading))
                {
                    throw new SecurityException("User does not have download access.");
                }
            }
        }

        private static AuthenticationInfo GetTokenInfo(IRequest request)
        {
            request.Items.TryGetValue("OriginalAuthenticationInfo", out var info);
            return info as AuthenticationInfo;
        }

        private void ValidateSecurityToken(IRequest request, string token)
        {
            if (string.IsNullOrEmpty(token))
            {
                throw new AuthenticationException("Access token is required.");
            }

            var info = GetTokenInfo(request);

            if (info == null)
            {
                throw new AuthenticationException("Access token is invalid or expired.");
            }

            // if (!string.IsNullOrEmpty(info.UserId))
            //{
            //    var user = _userManager.GetUserById(info.UserId);

            //    if (user == null || user.Configuration.IsDisabled)
            //    {
            //        throw new SecurityException("User account has been disabled.");
            //    }
            //}
        }
    }
}
Fix more warnings 2019-11-01 10:38:54 -07:00			`#pragma warning disable CS1591`

Visual Studio Reformat: Emby.Server.Implementations Part De-H 2019-01-13 12:20:41 -07:00			`using System;`
			`using System.Linq;`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`using Emby.Server.Implementations.SocketSharp;`
Fix more issues 2020-05-19 16:05:17 -07:00			`using Jellyfin.Data.Entities;`
Initial migration code 2020-05-12 19:10:35 -07:00			`using Jellyfin.Data.Enums;`
Visual Studio Reformat: Emby.Server.Implementations Part De-H 2019-01-13 12:20:41 -07:00			`using MediaBrowser.Common.Net;`
Use the "legacy" AuthenticationException 2020-06-11 01:59:57 -07:00			`using MediaBrowser.Controller.Authentication;`
Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 2019-01-06 13:50:43 -07:00			`using MediaBrowser.Controller.Configuration;`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`using MediaBrowser.Controller.Net;`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`using MediaBrowser.Controller.Security;`
updated service stack 2014-11-15 08:51:49 -07:00			`using MediaBrowser.Controller.Session;`
update request classes 2017-09-03 11:38:26 -07:00			`using MediaBrowser.Model.Services;`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`using Microsoft.AspNetCore.Http;`
			`using Microsoft.Extensions.Logging;`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00
move classes 2016-11-03 18:18:51 -07:00			`namespace Emby.Server.Implementations.HttpServer.Security`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
			`public class AuthService : IAuthService`
			`{`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`private readonly ILogger<AuthService> _logger;`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`private readonly IAuthorizationContext _authorizationContext;`
			`private readonly ISessionManager _sessionManager;`
completed auth database 2014-07-07 18:41:03 -07:00			`private readonly IServerConfigurationManager _config;`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`private readonly INetworkManager _networkManager;`
completed auth database 2014-07-07 18:41:03 -07:00
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`public AuthService(`
Fix review comments 2019-11-24 10:25:43 -07:00			`ILogger<AuthService> logger,`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`IAuthorizationContext authorizationContext,`
			`IServerConfigurationManager config,`
			`ISessionManager sessionManager,`
			`INetworkManager networkManager)`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`{`
Fix review comments 2019-11-24 10:25:43 -07:00			`_logger = logger;`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`_authorizationContext = authorizationContext;`
completed auth database 2014-07-07 18:41:03 -07:00			`_config = config;`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`_sessionManager = sessionManager;`
			`_networkManager = networkManager;`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`public void Authenticate(IRequest request, IAuthenticationAttributes authAttribtues)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`ValidateUser(request, authAttribtues);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`

Fix more issues 2020-05-19 16:05:17 -07:00			`public User Authenticate(HttpRequest request, IAuthenticationAttributes authAttributes)`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`{`
Use typed logger where possible 2020-06-05 17:15:56 -07:00			`var req = new WebSocketSharpRequest(request, null, request.Path);`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00			`var user = ValidateUser(req, authAttributes);`
			`return user;`
			`}`

Fix more issues 2020-05-19 16:05:17 -07:00			`private User ValidateUser(IRequest request, IAuthenticationAttributes authAttribtues)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
remove mono compiler directives 2014-10-06 16:58:46 -07:00			`// This code is executed before the service`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`var auth = _authorizationContext.GetAuthorizationInfo(request);`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00
Simplify/remove/clean code * Remove useless runtime check (we only support one) * Remove unused args * Remove a global constant And ofc fix some warnings ;) 2019-03-25 14:25:32 -07:00			`if (!IsExemptFromAuthenticationToken(authAttribtues, request))`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`{`
Remove Emby.Server.Connect 2018-12-10 17:27:54 -07:00			`ValidateSecurityToken(request, auth.Token);`
completed auth database 2014-07-07 18:41:03 -07:00			`}`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (authAttribtues.AllowLocalOnly && !request.IsLocal)`
			`{`
			`throw new SecurityException("Operation not found.");`
			`}`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`var user = auth.User;`

Fix multiple mistakes and warnings 2019-09-20 03:42:08 -07:00			`if (user == null && auth.UserId != Guid.Empty)`
fix ipad login issue 2014-07-14 18:25:58 -07:00			`{`
Return correct status codes for authentication and authorization errors - Use AuthenticatonException to return 401 - Use SecurityException to return 403 - Update existing throws to throw the correct exception for the circumstance 2020-04-13 10:17:46 -07:00			`throw new AuthenticationException("User with Id " + auth.UserId + " not found");`
fix ipad login issue 2014-07-14 18:25:58 -07:00			`}`

fixes #552 - Add parental control usage limits 2014-10-14 17:05:09 -07:00			`if (user != null)`
completed auth database 2014-07-07 18:41:03 -07:00			`{`
enable user device access 2014-12-29 13:18:48 -07:00			`ValidateUserAccess(user, request, authAttribtues, auth);`
run all ajax through apiclient 2014-07-01 22:16:59 -07:00			`}`
completed auth database 2014-07-07 18:41:03 -07:00
update dlna profiles 2015-02-06 20:25:23 -07:00			`var info = GetTokenInfo(request);`
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00
update request classes 2017-09-03 11:38:26 -07:00			`if (!IsExemptFromRoles(auth, authAttribtues, request, info))`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
3.2.30.3 2017-08-30 11:52:29 -07:00			`var roles = authAttribtues.GetRoles();`
revise endpoint attributes 2014-11-14 19:31:03 -07:00
			`ValidateRoles(roles, user);`
			`}`
updated service stack 2014-11-15 08:51:49 -07:00
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (!string.IsNullOrEmpty(auth.DeviceId) &&`
			`!string.IsNullOrEmpty(auth.Client) &&`
			`!string.IsNullOrEmpty(auth.Device))`
updated service stack 2014-11-15 08:51:49 -07:00			`{`
Initial migration code 2020-05-12 19:10:35 -07:00			`_sessionManager.LogSessionActivity(`
			`auth.Client,`
updated service stack 2014-11-15 08:51:49 -07:00			`auth.Version,`
			`auth.DeviceId,`
			`auth.Device,`
			`request.RemoteIp,`
			`user);`
			`}`
Add authentication and remove versioning 2019-11-23 08:31:02 -07:00
			`return user;`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`}`

Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`private void ValidateUserAccess(`
Fix more issues 2020-05-19 16:05:17 -07:00			`User user,`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`IRequest request,`
Fix more issues 2020-05-19 16:05:17 -07:00			`IAuthenticationAttributes authAttributes,`
enable user device access 2014-12-29 13:18:48 -07:00			`AuthorizationInfo auth)`
			`{`
Initial migration code 2020-05-12 19:10:35 -07:00			`if (user.HasPermission(PermissionKind.IsDisabled))`
enable user device access 2014-12-29 13:18:48 -07:00			`{`
Clean up SecurityException - Remove unused SecurityExceptionType - Add missing constructor for InnerException - Add missing documentation 2020-04-13 10:13:48 -07:00			`throw new SecurityException("User account has been disabled.");`
enable user device access 2014-12-29 13:18:48 -07:00			`}`

Initial migration code 2020-05-12 19:10:35 -07:00			`if (!user.HasPermission(PermissionKind.EnableRemoteAccess) && !_networkManager.IsInLocalNetwork(request.RemoteIp))`
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`{`
Clean up SecurityException - Remove unused SecurityExceptionType - Add missing constructor for InnerException - Add missing documentation 2020-04-13 10:13:48 -07:00			`throw new SecurityException("User account has been disabled.");`
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`}`

Initial migration code 2020-05-12 19:10:35 -07:00			`if (!user.HasPermission(PermissionKind.IsAdministrator)`
Fix more issues 2020-05-19 16:05:17 -07:00			`&& !authAttributes.EscapeParentalControl`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`&& !user.IsParentalScheduleAllowed())`
enable user device access 2014-12-29 13:18:48 -07:00			`{`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00			`request.Response.Headers.Add("X-Application-Error-Code", "ParentalControl");`
enable user device access 2014-12-29 13:18:48 -07:00
Clean up SecurityException - Remove unused SecurityExceptionType - Add missing constructor for InnerException - Add missing documentation 2020-04-13 10:13:48 -07:00			`throw new SecurityException("This user account is not allowed access at this time.");`
enable user device access 2014-12-29 13:18:48 -07:00			`}`
			`}`

Simplify/remove/clean code * Remove useless runtime check (we only support one) * Remove unused args * Remove a global constant And ofc fix some warnings ;) 2019-03-25 14:25:32 -07:00			`private bool IsExemptFromAuthenticationToken(IAuthenticationAttributes authAttribtues, IRequest request)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
update authentication 2016-02-18 11:27:46 -07:00			`if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
			`return true;`
			`}`

update request classes 2017-09-03 11:38:26 -07:00			`if (authAttribtues.AllowLocal && request.IsLocal)`
			`{`
			`return true;`
			`}`
fix SA1513/SA1516 2020-06-15 14:43:52 -07:00
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (authAttribtues.AllowLocalOnly && request.IsLocal)`
			`{`
			`return true;`
			`}`
update request classes 2017-09-03 11:38:26 -07:00
update authentication 2016-02-18 11:27:46 -07:00			`return false;`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`}`

update request classes 2017-09-03 11:38:26 -07:00			`private bool IsExemptFromRoles(AuthorizationInfo auth, IAuthenticationAttributes authAttribtues, IRequest request, AuthenticationInfo tokenInfo)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
update authentication 2016-02-18 11:27:46 -07:00			`if (!_config.Configuration.IsStartupWizardCompleted && authAttribtues.AllowBeforeStartupWizard)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
			`return true;`
			`}`

update request classes 2017-09-03 11:38:26 -07:00			`if (authAttribtues.AllowLocal && request.IsLocal)`
			`{`
			`return true;`
			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (authAttribtues.AllowLocalOnly && request.IsLocal)`
			`{`
			`return true;`
			`}`

			`if (string.IsNullOrEmpty(auth.Token))`
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00			`{`
			`return true;`
			`}`

Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (tokenInfo != null && tokenInfo.UserId.Equals(Guid.Empty))`
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00			`{`
			`return true;`
			`}`

revise endpoint attributes 2014-11-14 19:31:03 -07:00			`return false;`
			`}`
connect updates 2014-10-28 16:17:55 -07:00
Fix more issues 2020-05-19 16:05:17 -07:00			`private static void ValidateRoles(string[] roles, User user)`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
set roles on connect endpoints 2014-09-14 10:42:23 -07:00			`if (roles.Contains("admin", StringComparer.OrdinalIgnoreCase))`
			`{`
Initial migration code 2020-05-12 19:10:35 -07:00			`if (user == null \|\| !user.HasPermission(PermissionKind.IsAdministrator))`
set roles on connect endpoints 2014-09-14 10:42:23 -07:00			`{`
Clean up SecurityException - Remove unused SecurityExceptionType - Add missing constructor for InnerException - Add missing documentation 2020-04-13 10:13:48 -07:00			`throw new SecurityException("User does not have admin access.");`
set roles on connect endpoints 2014-09-14 10:42:23 -07:00			`}`
			`}`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`if (roles.Contains("delete", StringComparer.OrdinalIgnoreCase))`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
Initial migration code 2020-05-12 19:10:35 -07:00			`if (user == null \|\| !user.HasPermission(PermissionKind.EnableContentDeletion))`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`{`
Clean up SecurityException - Remove unused SecurityExceptionType - Add missing constructor for InnerException - Add missing documentation 2020-04-13 10:13:48 -07:00			`throw new SecurityException("User does not have delete access.");`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`
Replace custom code with Asp.Net Core code 2019-07-28 14:53:19 -07:00
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00			`if (roles.Contains("download", StringComparer.OrdinalIgnoreCase))`
			`{`
Initial migration code 2020-05-12 19:10:35 -07:00			`if (user == null \|\| !user.HasPermission(PermissionKind.EnableContentDownloading))`
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00			`{`
Clean up SecurityException - Remove unused SecurityExceptionType - Add missing constructor for InnerException - Add missing documentation 2020-04-13 10:13:48 -07:00			`throw new SecurityException("User does not have download access.");`
fixes #1001 - Support downloading 2015-02-05 22:39:07 -07:00			`}`
			`}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`

Mayor code cleanup Add ArgumentExceptions now use proper nameof operators. Added exception messages to quite a few ArgumentExceptions. Fixed rethorwing to be proper syntax. Added a ton of null checkes. (This is only a start, there are about 500 places that need proper null handling) Added some TODOs to log certain exceptions. Fix sln again. Fixed all AssemblyInfo's and added proper copyright (where I could find them) We live in current year. Fixed the use of braces. Fixed a ton of properties, and made a fair amount of functions static that should be and can be static. Made more Methods that should be static static. You can now use static to find bad functions! Removed unused variable. And added one more proper XML comment. 2019-01-06 13:50:43 -07:00			`private static AuthenticationInfo GetTokenInfo(IRequest request)`
update dlna profiles 2015-02-06 20:25:23 -07:00			`{`
ReSharper format: conform inline 'out' parameters. 2019-01-13 13:46:33 -07:00			`request.Items.TryGetValue("OriginalAuthenticationInfo", out var info);`
update dlna profiles 2015-02-06 20:25:23 -07:00			`return info as AuthenticationInfo;`
			`}`

update request classes 2017-09-03 11:38:26 -07:00			`private void ValidateSecurityToken(IRequest request, string token)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
Update to 3.5.2 and .net core 2.1 2018-09-12 10:26:21 -07:00			`if (string.IsNullOrEmpty(token))`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
Return correct status codes for authentication and authorization errors - Use AuthenticatonException to return 401 - Use SecurityException to return 403 - Update existing throws to throw the correct exception for the circumstance 2020-04-13 10:17:46 -07:00			`throw new AuthenticationException("Access token is required.");`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`

update dlna profiles 2015-02-06 20:25:23 -07:00			`var info = GetTokenInfo(request);`
revise endpoint attributes 2014-11-14 19:31:03 -07:00
			`if (info == null)`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`{`
Return correct status codes for authentication and authorization errors - Use AuthenticatonException to return 401 - Use SecurityException to return 403 - Update existing throws to throw the correct exception for the circumstance 2020-04-13 10:17:46 -07:00			`throw new AuthenticationException("Access token is invalid or expired.");`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`

fix SA1005 2020-06-14 02:11:11 -07:00			`// if (!string.IsNullOrEmpty(info.UserId))`
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`//{`
			`// var user = _userManager.GetUserById(info.UserId);`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00
revise endpoint attributes 2014-11-14 19:31:03 -07:00			`// if (user == null \|\| user.Configuration.IsDisabled)`
			`// {`
			`// throw new SecurityException("User account has been disabled.");`
			`// }`
			`//}`
fixes #789 - Security Issue: API allows access to any folder of the PC running MediaBrowser 2014-07-01 21:57:18 -07:00			`}`
			`}`
			`}`