cotugno/jellyfin
2
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2024-11-15 09:59:06 -07:00
Code Issues Packages Projects Releases Wiki Activity
1be18114a9
jellyfin/Jellyfin.Server.Implementations/Users/DefaultAuthenticationProvider.cs
Bond_009 e69e097e19 Increase password hash iterations 
It has been a while since this was last updated: https://github.com/jellyfin/jellyfin/pull/6818
Recommendations have changed since: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
2024-08-30 19:29:23 +02:00

116 lines
4.3 KiB
C#
Raw Blame History

using System;
using System.Diagnostics.CodeAnalysis;
using System.Globalization;
using System.Threading.Tasks;
using Jellyfin.Data.Entities;
using MediaBrowser.Controller.Authentication;
using MediaBrowser.Model.Cryptography;
using Microsoft.Extensions.Logging;
namespace Jellyfin.Server.Implementations.Users
{
/// <summary>
/// The default authentication provider.
/// </summary>
public class DefaultAuthenticationProvider : IAuthenticationProvider, IRequiresResolvedUser
{
private readonly ILogger<DefaultAuthenticationProvider> _logger;
private readonly ICryptoProvider _cryptographyProvider;
/// <summary>
/// Initializes a new instance of the <see cref="DefaultAuthenticationProvider"/> class.
/// </summary>
/// <param name="logger">The logger.</param>
/// <param name="cryptographyProvider">The cryptography provider.</param>
public DefaultAuthenticationProvider(ILogger<DefaultAuthenticationProvider> logger, ICryptoProvider cryptographyProvider)
{
_logger = logger;
_cryptographyProvider = cryptographyProvider;
}
/// <inheritdoc />
public string Name => "Default";
/// <inheritdoc />
public bool IsEnabled => true;
/// <inheritdoc />
// This is dumb and an artifact of the backwards way auth providers were designed.
// This version of authenticate was never meant to be called, but needs to be here for interface compat
// Only the providers that don't provide local user support use this
public Task<ProviderAuthenticationResult> Authenticate(string username, string password)
{
throw new NotImplementedException();
}
/// <inheritdoc />
// This is the version that we need to use for local users. Because reasons.
public Task<ProviderAuthenticationResult> Authenticate(string username, string password, User? resolvedUser)
{
[DoesNotReturn]
static void ThrowAuthenticationException()
{
throw new AuthenticationException("Invalid username or password");
}
if (resolvedUser is null)
{
ThrowAuthenticationException();
}
// As long as jellyfin supports password-less users, we need this little block here to accommodate
if (!HasPassword(resolvedUser) && string.IsNullOrEmpty(password))
{
return Task.FromResult(new ProviderAuthenticationResult
{
Username = username
});
}
// Handle the case when the stored password is null, but the user tried to login with a password
if (resolvedUser.Password is null)
{
ThrowAuthenticationException();
}
PasswordHash readyHash = PasswordHash.Parse(resolvedUser.Password);
if (!_cryptographyProvider.Verify(readyHash, password))
{
ThrowAuthenticationException();
}
// Migrate old hashes to the new default
if (!string.Equals(readyHash.Id, _cryptographyProvider.DefaultHashMethod, StringComparison.Ordinal)
|| int.Parse(readyHash.Parameters["iterations"], CultureInfo.InvariantCulture) != Constants.DefaultIterations)
{
_logger.LogInformation("Migrating password hash of {User} to the latest default", username);
ChangePassword(resolvedUser, password);
}
return Task.FromResult(new ProviderAuthenticationResult
{
Username = username
});
}
/// <inheritdoc />
public bool HasPassword(User user)
=> !string.IsNullOrEmpty(user?.Password);
/// <inheritdoc />
public Task ChangePassword(User user, string newPassword)
{
if (string.IsNullOrEmpty(newPassword))
{
user.Password = null;
return Task.CompletedTask;
}
PasswordHash newPasswordHash = _cryptographyProvider.CreatePasswordHash(newPassword);
user.Password = newPasswordHash.ToString();
return Task.CompletedTask;
}
}
}
Reference in New Issue View Git Blame Copy Permalink