Use proper IsApiKey flag

4 years ago · 981f000437
parent d5c226b1c3
commit 981f000437
6 changed files with 45 additions and 13 deletions
--- a/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/Emby.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@ -183,6 +183,12 @@ namespace Emby.Server.Implementations.HttpServer.Security
                        originalAuthenticationInfo.UserName = authInfo.User.Username;
                        updateToken = true;
                    }
+
+                    authInfo.IsApiKey = true;
+                }
+                else
+                {
+                    authInfo.IsApiKey = false;
                }

                if (updateToken)
--- a/Jellyfin.Api/Auth/BaseAuthorizationHandler.cs
+++ b/Jellyfin.Api/Auth/BaseAuthorizationHandler.cs
@ -1,5 +1,4 @@
-using System;
-using System.Security.Claims;
+using System.Security.Claims;
 using Jellyfin.Api.Helpers;
 using Jellyfin.Data.Enums;
 using MediaBrowser.Common.Extensions;
@ -51,6 +50,13 @@ namespace Jellyfin.Api.Auth
            bool localAccessOnly = false,
            bool requiredDownloadPermission = false)
        {
+            // ApiKey is currently global admin, always allow.
+            var isApiKey = ClaimHelpers.GetIsApiKey(claimsPrincipal);
+            if (isApiKey)
+            {
+                return true;
+            }
+
            // Ensure claim has userId.
            var userId = ClaimHelpers.GetUserId(claimsPrincipal);
            if (!userId.HasValue)
@ -58,12 +64,6 @@ namespace Jellyfin.Api.Auth
                return false;
            }

-            // UserId of Guid.Empty means token is an apikey.
-            if (userId.Equals(Guid.Empty))
-            {
-                return true;
-            }
-
            // Ensure userId links to a valid user.
            var user = _userManager.GetUserById(userId.Value);
            if (user == null)
--- a/Jellyfin.Api/Auth/CustomAuthenticationHandler.cs
+++ b/Jellyfin.Api/Auth/CustomAuthenticationHandler.cs
@ -1,4 +1,3 @@
-using System;
 using System.Globalization;
 using System.Security.Authentication;
 using System.Security.Claims;
@ -45,8 +44,7 @@ namespace Jellyfin.Api.Auth
            {
                var authorizationInfo = _authService.Authenticate(Request);
                var role = UserRoles.User;
-                // UserId of Guid.Empty means token is an apikey.
-                if (authorizationInfo.UserId.Equals(Guid.Empty) || authorizationInfo.User.HasPermission(PermissionKind.IsAdministrator))
+                if (authorizationInfo.IsApiKey || authorizationInfo.User.HasPermission(PermissionKind.IsAdministrator))
                {
                    role = UserRoles.Administrator;
                }
@ -61,6 +59,7 @@ namespace Jellyfin.Api.Auth
                    new Claim(InternalClaimTypes.Client, authorizationInfo.Client),
                    new Claim(InternalClaimTypes.Version, authorizationInfo.Version),
                    new Claim(InternalClaimTypes.Token, authorizationInfo.Token),
+                    new Claim(InternalClaimTypes.IsApiKey, authorizationInfo.IsApiKey.ToString(CultureInfo.InvariantCulture))
                };

                var identity = new ClaimsIdentity(claims, Scheme.Name);
--- a/Jellyfin.Api/Constants/InternalClaimTypes.cs
+++ b/Jellyfin.Api/Constants/InternalClaimTypes.cs
@ -34,5 +34,10 @@
        /// Token.
        /// </summary>
        public const string Token = "Jellyfin-Token";
+
+        /// <summary>
+        /// Is Api Key.
+        /// </summary>
+        public const string IsApiKey = "Jellyfin-IsApiKey";
    }
 }
--- a/Jellyfin.Api/Helpers/ClaimHelpers.cs
+++ b/Jellyfin.Api/Helpers/ClaimHelpers.cs
@ -63,6 +63,19 @@ namespace Jellyfin.Api.Helpers
        public static string? GetToken(in ClaimsPrincipal user)
            => GetClaimValue(user, InternalClaimTypes.Token);

+        /// <summary>
+        /// Gets a flag specifying whether the request is using an api key.
+        /// </summary>
+        /// <param name="user">Current claims principal.</param>
+        /// <returns>The flag specifying whether the request is using an api key.</returns>
+        public static bool GetIsApiKey(in ClaimsPrincipal user)
+        {
+            var claimValue = GetClaimValue(user, InternalClaimTypes.IsApiKey);
+            return !string.IsNullOrEmpty(claimValue)
+                   && bool.TryParse(claimValue, out var parsedClaimValue)
+                   && parsedClaimValue;
+        }
+
        private static string? GetClaimValue(in ClaimsPrincipal user, string name)
        {
            return user?.Identities
--- a/MediaBrowser.Controller/Net/AuthorizationInfo.cs
+++ b/MediaBrowser.Controller/Net/AuthorizationInfo.cs
@ -1,10 +1,11 @@
-#pragma warning disable CS1591
-
 using System;
 using Jellyfin.Data.Entities;

 namespace MediaBrowser.Controller.Net
 {
+    /// <summary>
+    /// The request authorization info.
+    /// </summary>
    public class AuthorizationInfo
    {
        /// <summary>
@ -43,6 +44,14 @@ namespace MediaBrowser.Controller.Net
        /// <value>The token.</value>
        public string Token { get; set; }

+        /// <summary>
+        /// Gets or sets a value indicating whether the authorization is from an api key.
+        /// </summary>
+        public bool IsApiKey { get; set; }
+
+        /// <summary>
+        /// Gets or sets the user making the request.
+        /// </summary>
        public User User { get; set; }
    }
 }