Allow apikey to authenticate as admin

This commit is contained in:
crobibero 2020-10-14 17:58:33 -06:00
parent 8ffa14e6d3
commit 39924f9992
4 changed files with 77 additions and 73 deletions

View File

@ -19,12 +19,7 @@ namespace Emby.Server.Implementations.HttpServer.Security
public AuthorizationInfo Authenticate(HttpRequest request)
{
var auth = _authorizationContext.GetAuthorizationInfo(request);
if (auth?.User == null)
{
return null;
}
if (auth.User.HasPermission(PermissionKind.IsDisabled))
if (auth.User?.HasPermission(PermissionKind.IsDisabled) ?? false)
{
throw new SecurityException("User account has been disabled.");
}

View File

@ -111,15 +111,18 @@ namespace Emby.Server.Implementations.HttpServer.Security
Token = token
};
AuthenticationInfo originalAuthenticationInfo = null;
if (!string.IsNullOrWhiteSpace(token))
if (string.IsNullOrWhiteSpace(token))
{
// Request doesn't contain a token.
throw new SecurityException("Unauthorized.");
}
var result = _authRepo.Get(new AuthenticationInfoQuery
{
AccessToken = token
});
originalAuthenticationInfo = result.Items.Count > 0 ? result.Items[0] : null;
var originalAuthenticationInfo = result.Items.Count > 0 ? result.Items[0] : null;
if (originalAuthenticationInfo != null)
{
@ -187,7 +190,6 @@ namespace Emby.Server.Implementations.HttpServer.Security
_authRepo.Update(originalAuthenticationInfo);
}
}
}
return (authInfo, originalAuthenticationInfo);
}

View File

@ -1,4 +1,5 @@
using System.Security.Claims;
using System;
using System.Security.Claims;
using Jellyfin.Api.Helpers;
using Jellyfin.Data.Enums;
using MediaBrowser.Common.Extensions;
@ -57,6 +58,12 @@ namespace Jellyfin.Api.Auth
return false;
}
// UserId of Guid.Empty means token is an apikey.
if (userId.Equals(Guid.Empty))
{
return true;
}
// Ensure userId links to a valid user.
var user = _userManager.GetUserById(userId.Value);
if (user == null)

View File

@ -1,3 +1,4 @@
using System;
using System.Globalization;
using System.Security.Authentication;
using System.Security.Claims;
@ -43,18 +44,17 @@ namespace Jellyfin.Api.Auth
try
{
var authorizationInfo = _authService.Authenticate(Request);
if (authorizationInfo == null)
var role = UserRoles.User;
// UserId of Guid.Empty means token is an apikey.
if (authorizationInfo.UserId.Equals(Guid.Empty) || authorizationInfo.User.HasPermission(PermissionKind.IsAdministrator))
{
return Task.FromResult(AuthenticateResult.NoResult());
// TODO return when legacy API is removed.
// Don't spam the log with "Invalid User"
// return Task.FromResult(AuthenticateResult.Fail("Invalid user"));
role = UserRoles.Administrator;
}
var claims = new[]
{
new Claim(ClaimTypes.Name, authorizationInfo.User.Username),
new Claim(ClaimTypes.Role, authorizationInfo.User.HasPermission(PermissionKind.IsAdministrator) ? UserRoles.Administrator : UserRoles.User),
new Claim(ClaimTypes.Name, authorizationInfo.User?.Username ?? string.Empty),
new Claim(ClaimTypes.Role, role),
new Claim(InternalClaimTypes.UserId, authorizationInfo.UserId.ToString("N", CultureInfo.InvariantCulture)),
new Claim(InternalClaimTypes.DeviceId, authorizationInfo.DeviceId),
new Claim(InternalClaimTypes.Device, authorizationInfo.Device),