Added new configuration params

nikarh · nikarh · commit 3e4140dcfbac · 2023-11-11T14:12:20.000+02:00
- A new configuration param for a custom root CA certificate
- A new configuration param to enable/disable user creation on login
- Fixed build for jellyfin 10.8.0
diff --git a/.prettierrc b/.prettierrc
@@ -0,0 +1,3 @@
+{
+    "singleAttributePerLine": true
+}
diff --git a/Authelia-Auth/Authelia-Auth.csproj b/Authelia-Auth/Authelia-Auth.csproj
@@ -3,8 +3,8 @@
   <PropertyGroup>
     <TargetFramework>net6.0</TargetFramework>
     <RootNamespace>Jellyfin.Plugin.Authelia_Auth</RootNamespace>
-    <AssemblyVersion>1.0.0.0</AssemblyVersion>
-    <FileVersion>1.0.0.0</FileVersion>
+    <AssemblyVersion>1.0.12.0</AssemblyVersion>
+    <FileVersion>1.0.12.0</FileVersion>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <TreatWarningsAsErrors>true</TreatWarningsAsErrors>
     <ProduceReferenceAssemblyInOutDir>true</ProduceReferenceAssemblyInOutDir>
@@ -17,7 +17,7 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="Jellyfin.Controller" Version="10.*-*" />
+    <PackageReference Include="Jellyfin.Controller" Version="10.8.0" />
   </ItemGroup>
 
   <!-- Code Analyzers-->
diff --git a/Authelia-Auth/AutheliaAuthenticationProviderPlugin.cs b/Authelia-Auth/AutheliaAuthenticationProviderPlugin.cs
@@ -1,9 +1,11 @@
 using System;
+using System.Security.Cryptography;
 using System.Threading.Tasks;
 using Jellyfin.Data.Entities;
 using MediaBrowser.Common;
 using MediaBrowser.Controller.Authentication;
 using MediaBrowser.Controller.Library;
+using MediaBrowser.Model.Cryptography;
 using Microsoft.Extensions.Logging;
 
 namespace Jellyfin.Plugin.Authelia_Auth
@@ -13,18 +15,21 @@ namespace Jellyfin.Plugin.Authelia_Auth
     /// </summary>
     public class AutheliaAuthenticationProviderPlugin : IAuthenticationProvider
     {
-        private readonly ILogger<AutheliaAuthenticationProviderPlugin> _logger;
         private readonly IApplicationHost _applicationHost;
+        private readonly ILogger<AutheliaAuthenticationProviderPlugin> _logger;
+        private readonly ICryptoProvider _cryptoProvider;
 
         /// <summary>
         /// Initializes a new instance of the <see cref="AutheliaAuthenticationProviderPlugin"/> class.
         /// </summary>
         /// <param name="applicationHost">Instance of the <see cref="IApplicationHost"/> interface.</param>
         /// <param name="logger">Instance of the <see cref="ILogger{AutheliaAuthenticationProviderPlugin}"/> interface.</param>
-        public AutheliaAuthenticationProviderPlugin(IApplicationHost applicationHost, ILogger<AutheliaAuthenticationProviderPlugin> logger)
+        /// <param name="cryptoProvider">Instance of the <see cref="ILogger{ICryptoProvider}"/> interface.</param>
+        public AutheliaAuthenticationProviderPlugin(IApplicationHost applicationHost, ILogger<AutheliaAuthenticationProviderPlugin> logger, ICryptoProvider cryptoProvider)
         {
             _logger = logger;
             _applicationHost = applicationHost;
+            _cryptoProvider = cryptoProvider;
         }
 
         /// <summary>
@@ -48,18 +53,29 @@ public async Task<ProviderAuthenticationResult> Authenticate(string username, st
         {
             var userManager = _applicationHost.Resolve<IUserManager>();
             var config = AutheliaPlugin.Instance.Configuration;
+
             var auth = await new Authenticator().Authenticate(config, username, password);
 
+            User user = null;
             try
             {
-                userManager.GetUserByName(username);
+                user = userManager.GetUserByName(username);
             }
             catch (Exception e)
             {
                 _logger.LogError("User Manager could not find a user for Authelia User", e);
                 throw new AuthenticationException("Error completing Authelia login. Invalid username or password.");
             }
 
+            if (config.CreateUserIfNotExists && user == null)
+            {
+                _logger.LogInformation("Authelia user doesn't exist, creating...");
+                user = await userManager.CreateUserAsync(username).ConfigureAwait(false);
+
+                user.AuthenticationProviderId = GetType().FullName;
+                user.Password = _cryptoProvider.CreatePasswordHash(Convert.ToBase64String(RandomNumberGenerator.GetBytes(64))).ToString();
+            }
+
             return auth;
         }
 
diff --git a/Authelia-Auth/Authenticator.cs b/Authelia-Auth/Authenticator.cs
@@ -1,12 +1,11 @@
 using System;
-using System.Linq;
 using System.Net;
 using System.Net.Http;
 using System.Net.Http.Json;
+using System.Security.Cryptography.X509Certificates;
 using System.Text;
 using System.Text.Json.Nodes;
 using System.Text.Json.Serialization;
-using System.Text.RegularExpressions;
 using System.Threading.Tasks;
 using Jellyfin.Plugin.Authelia_Auth.Config;
 using MediaBrowser.Controller.Authentication;
@@ -46,8 +45,6 @@ public class UserInfoResponse
     /// </summary>
     public class Authenticator
     {
-        private Regex cookieRe = new Regex("authelia_session=([^;]+);");
-
         /// <summary>
         /// Authenticate user.
         /// </summary>
@@ -59,59 +56,65 @@ public class Authenticator
         public async Task<ProviderAuthenticationResult> Authenticate(PluginConfiguration config, string username, string password)
         {
             var cookieContainer = new CookieContainer();
-            using (var handler = new HttpClientHandler() { CookieContainer = cookieContainer })
-            using (var client = new HttpClient(handler) { BaseAddress = new Uri(config.AutheliaServer) })
+            using var handler = new HttpClientHandler()
             {
-                var jsonBody = new JsonObject();
-                jsonBody.Add("username", username);
-                jsonBody.Add("password", password);
-                jsonBody.Add("targetURL", config.JellyfinUrl);
-                jsonBody.Add("requestMethod", "GET");
-                jsonBody.Add("keepMeLoggedIn", true);
-
-                var session = string.Empty;
-
-                using (var content = new StringContent(jsonBody.ToString(), Encoding.UTF8, "application/json"))
+                CookieContainer = cookieContainer,
+                ServerCertificateCustomValidationCallback = (message, cert, chain, _) =>
                 {
-                    var response = await client.PostAsync("/api/firstfactor", content);
-
-                    if (!response.IsSuccessStatusCode)
+                    if (!string.IsNullOrWhiteSpace(config.AutheliaRootCa))
                     {
-                        throw new AuthenticationException("Invalid username or password.");
+                        chain.ChainPolicy.TrustMode = X509ChainTrustMode.CustomRootTrust;
+                        chain.ChainPolicy.CustomTrustStore.ImportFromPem(config.AutheliaRootCa);
                     }
 
-                    var setCookie = response.Headers.GetValues("Set-Cookie").FirstOrDefault(string.Empty);
-                    session = cookieRe.Match(setCookie).Groups[1].Value;
+                    return chain.Build(cert);
                 }
+            };
+            using var client = new HttpClient(handler) { BaseAddress = new Uri(config.AutheliaServer) };
 
-                // Allow using internal authelia url instead of proxied
-                cookieContainer.Add(new Uri(config.AutheliaServer), new Cookie("authelia_session", session));
+            var jsonBody = new JsonObject
+                {
+                    { "username", username },
+                    { "password", password },
+                    { "targetURL", config.JellyfinUrl },
+                    { "requestMethod", "GET" },
+                    { "keepMeLoggedIn", true }
+                };
 
-                using (var request = new HttpRequestMessage(HttpMethod.Get, "/api/verify"))
+            using (var content = new StringContent(jsonBody.ToString(), Encoding.UTF8, "application/json"))
+            {
+                var response = await client.PostAsync("/api/firstfactor", content);
+
+                if (!response.IsSuccessStatusCode)
                 {
-                    request.Headers.Add("X-Original-Url", config.JellyfinUrl);
-                    request.Headers.Add("X-Forwarded-Method", "GET");
-                    var accessResponse = await client.SendAsync(request);
-                    if (!accessResponse.IsSuccessStatusCode)
-                    {
-                        throw new AuthenticationException("User doesn't have access to this service.");
-                    }
+                    throw new AuthenticationException("Invalid username or password.");
                 }
+            }
 
-                try
+            using (var request = new HttpRequestMessage(HttpMethod.Get, "/api/verify"))
+            {
+                request.Headers.Add("X-Original-Url", config.JellyfinUrl);
+                request.Headers.Add("X-Forwarded-Method", "GET");
+                var accessResponse = await client.SendAsync(request);
+                if (!accessResponse.IsSuccessStatusCode)
                 {
-                    var userInfoResponse = await client.GetFromJsonAsync<UserInfoResponse>("/api/user/info");
-
-                    return new ProviderAuthenticationResult
-                    {
-                        Username = username,
-                        DisplayName = userInfoResponse.Data.DisplayName,
-                    };
+                    throw new AuthenticationException("User doesn't have access to this service.");
                 }
-                catch
+            }
+
+            try
+            {
+                var userInfoResponse = await client.GetFromJsonAsync<UserInfoResponse>("/api/user/info");
+
+                return new ProviderAuthenticationResult
                 {
-                    throw new AuthenticationException("Invalid username or password.");
-                }
+                    Username = username,
+                    DisplayName = userInfoResponse.Data.DisplayName,
+                };
+            }
+            catch
+            {
+                throw new AuthenticationException("Invalid username or password.");
             }
         }
     }
diff --git a/Authelia-Auth/Config/PluginConfiguration.cs b/Authelia-Auth/Config/PluginConfiguration.cs
@@ -14,13 +14,25 @@ public PluginConfiguration()
         {
             AutheliaServer = "http://authelia";
             JellyfinUrl = "http://jellyfin";
+            AutheliaRootCa = string.Empty;
+            CreateUserIfNotExists = true;
         }
 
         /// <summary>
         /// Gets or sets the Authelia server address.
         /// </summary>
         public string AutheliaServer { get; set; }
 
+        /// <summary>
+        /// Gets or sets the Authelia root CA certificate.
+        /// </summary>
+        public string AutheliaRootCa { get; set; }
+
+        /// <summary>
+        /// Gets or sets a value indicating whether a user will be created on successful authentication if it does not exist in Jellyfin.
+        /// </summary>
+        public bool CreateUserIfNotExists { get; set; }
+
         /// <summary>
         /// Gets or sets the jellyfin URL.
         /// </summary>
diff --git a/Authelia-Auth/Config/configPage.html b/Authelia-Auth/Config/configPage.html
diff --git a/build.yaml b/build.yaml

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+{`
	`2`	`+ "singleAttributePerLine": true`
	`3`	`+}`