#pragma warning disable CS1591 using System; using System.Collections.Generic; using System.Linq; using System.Net; using System.Threading.Tasks; using MediaBrowser.Controller.Library; using MediaBrowser.Controller.Net; using Microsoft.AspNetCore.Http; using Microsoft.Net.Http.Headers; namespace Jellyfin.Server.Implementations.Security { public class AuthorizationContext : IAuthorizationContext { private readonly JellyfinDb _jellyfinDb; private readonly IUserManager _userManager; public AuthorizationContext(JellyfinDb jellyfinDb, IUserManager userManager) { _jellyfinDb = jellyfinDb; _userManager = userManager; } public Task GetAuthorizationInfo(HttpContext requestContext) { if (requestContext.Request.HttpContext.Items.TryGetValue("AuthorizationInfo", out var cached) && cached != null) { return Task.FromResult((AuthorizationInfo)cached); } return GetAuthorization(requestContext); } public async Task GetAuthorizationInfo(HttpRequest requestContext) { var auth = GetAuthorizationDictionary(requestContext); var authInfo = await GetAuthorizationInfoFromDictionary(auth, requestContext.Headers, requestContext.Query).ConfigureAwait(false); return authInfo; } /// /// Gets the authorization. /// /// The HTTP req. /// Dictionary{System.StringSystem.String}. private async Task GetAuthorization(HttpContext httpReq) { var auth = GetAuthorizationDictionary(httpReq); var authInfo = await GetAuthorizationInfoFromDictionary(auth, httpReq.Request.Headers, httpReq.Request.Query).ConfigureAwait(false); httpReq.Request.HttpContext.Items["AuthorizationInfo"] = authInfo; return authInfo; } private async Task GetAuthorizationInfoFromDictionary( IReadOnlyDictionary? auth, IHeaderDictionary headers, IQueryCollection queryString) { string? deviceId = null; string? deviceName = null; string? client = null; string? version = null; string? token = null; if (auth != null) { auth.TryGetValue("DeviceId", out deviceId); auth.TryGetValue("Device", out deviceName); auth.TryGetValue("Client", out client); auth.TryGetValue("Version", out version); auth.TryGetValue("Token", out token); } #pragma warning disable CA1508 // headers can return StringValues.Empty if (string.IsNullOrEmpty(token)) { token = headers["X-Emby-Token"]; } if (string.IsNullOrEmpty(token)) { token = headers["X-MediaBrowser-Token"]; } if (string.IsNullOrEmpty(token)) { token = queryString["ApiKey"]; } // TODO deprecate this query parameter. if (string.IsNullOrEmpty(token)) { token = queryString["api_key"]; } var authInfo = new AuthorizationInfo { Client = client, Device = deviceName, DeviceId = deviceId, Version = version, Token = token, IsAuthenticated = false, HasToken = false }; if (string.IsNullOrWhiteSpace(token)) { // Request doesn't contain a token. return authInfo; } #pragma warning restore CA1508 authInfo.HasToken = true; var device = await _jellyfinDb.Devices.FirstOrDefaultAsync(d => d.AccessToken == token).ConfigureAwait(false); if (device != null) { authInfo.IsAuthenticated = true; } if (device != null) { var updateToken = false; // TODO: Remove these checks for IsNullOrWhiteSpace if (string.IsNullOrWhiteSpace(authInfo.Client)) { authInfo.Client = device.AppName; } if (string.IsNullOrWhiteSpace(authInfo.DeviceId)) { authInfo.DeviceId = device.DeviceId; } // Temporary. TODO - allow clients to specify that the token has been shared with a casting device var allowTokenInfoUpdate = !authInfo.Client.Contains("chromecast", StringComparison.OrdinalIgnoreCase); if (string.IsNullOrWhiteSpace(authInfo.Device)) { authInfo.Device = device.DeviceName; } else if (!string.Equals(authInfo.Device, device.DeviceName, StringComparison.OrdinalIgnoreCase)) { if (allowTokenInfoUpdate) { updateToken = true; device.DeviceName = authInfo.Device; } } if (string.IsNullOrWhiteSpace(authInfo.Version)) { authInfo.Version = device.AppVersion; } else if (!string.Equals(authInfo.Version, device.AppVersion, StringComparison.OrdinalIgnoreCase)) { if (allowTokenInfoUpdate) { updateToken = true; device.AppVersion = authInfo.Version; } } if ((DateTime.UtcNow - device.DateLastActivity).TotalMinutes > 3) { device.DateLastActivity = DateTime.UtcNow; updateToken = true; } if (!device.UserId.Equals(Guid.Empty)) { authInfo.User = _userManager.GetUserById(device.UserId); authInfo.IsApiKey = false; } else { authInfo.IsApiKey = true; } if (updateToken) { _jellyfinDb.Devices.Update(device); await _jellyfinDb.SaveChangesAsync().ConfigureAwait(false); } } return authInfo; } /// /// Gets the auth. /// /// The HTTP req. /// Dictionary{System.StringSystem.String}. private Dictionary? GetAuthorizationDictionary(HttpContext httpReq) { var auth = httpReq.Request.Headers["X-Emby-Authorization"]; if (string.IsNullOrEmpty(auth)) { auth = httpReq.Request.Headers[HeaderNames.Authorization]; } return GetAuthorization(auth); } /// /// Gets the auth. /// /// The HTTP req. /// Dictionary{System.StringSystem.String}. private Dictionary? GetAuthorizationDictionary(HttpRequest httpReq) { var auth = httpReq.Headers["X-Emby-Authorization"]; if (string.IsNullOrEmpty(auth)) { auth = httpReq.Headers[HeaderNames.Authorization]; } return GetAuthorization(auth); } /// /// Gets the authorization. /// /// The authorization header. /// Dictionary{System.StringSystem.String}. private Dictionary? GetAuthorization(string? authorizationHeader) { if (authorizationHeader == null) { return null; } var parts = authorizationHeader.Split(' ', 2); // There should be at least to parts if (parts.Length != 2) { return null; } var acceptedNames = new[] { "MediaBrowser", "Emby" }; // It has to be a digest request if (!acceptedNames.Contains(parts[0], StringComparer.OrdinalIgnoreCase)) { return null; } // Remove uptil the first space authorizationHeader = parts[1]; parts = authorizationHeader.Split(','); var result = new Dictionary(StringComparer.OrdinalIgnoreCase); foreach (var item in parts) { var param = item.Trim().Split('=', 2); if (param.Length == 2) { var value = NormalizeValue(param[1].Trim('"')); result[param[0]] = value; } } return result; } private static string NormalizeValue(string value) { return string.IsNullOrEmpty(value) ? value : WebUtility.HtmlEncode(value); } } }