New: Rework and Require Authentication

Co-Authored-By: Mark McDowall <markus101@users.noreply.github.com>
2026-04-17 21:26:22 -04:00 · 2022-07-11 22:12:57 -05:00
parent 1e6540a419
commit 8911386ed0
20 changed files with 428 additions and 16 deletions
--- a/src/Radarr.Http/Authentication/AuthenticationBuilderExtensions.cs
+++ b/src/Radarr.Http/Authentication/AuthenticationBuilderExtensions.cs
@@ -22,10 +22,16 @@ namespace Radarr.Http.Authentication
            return authenticationBuilder.AddScheme<AuthenticationSchemeOptions, NoAuthenticationHandler>(name, options => { });
        }

+        public static AuthenticationBuilder AddExternal(this AuthenticationBuilder authenticationBuilder, string name)
+        {
+            return authenticationBuilder.AddScheme<AuthenticationSchemeOptions, NoAuthenticationHandler>(name, options => { });
+        }
+
        public static AuthenticationBuilder AddAppAuthentication(this IServiceCollection services)
        {
            return services.AddAuthentication()
                .AddNone(AuthenticationType.None.ToString())
+                .AddExternal(AuthenticationType.External.ToString())
                .AddBasic(AuthenticationType.Basic.ToString())
                .AddCookie(AuthenticationType.Forms.ToString(), options =>
                {
@@ -33,6 +39,7 @@ namespace Radarr.Http.Authentication
                    options.AccessDeniedPath = "/login?loginFailed=true";
                    options.LoginPath = "/login";
                    options.ExpireTimeSpan = TimeSpan.FromDays(7);
+                    options.SlidingExpiration = true;
                })
                .AddApiKey("API", options =>
                {
--- a/src/Radarr.Http/Authentication/AuthenticationService.cs
+++ b/src/Radarr.Http/Authentication/AuthenticationService.cs
@@ -15,17 +15,14 @@ namespace Radarr.Http.Authentication

    public class AuthenticationService : IAuthenticationService
    {
-        private const string AnonymousUser = "Anonymous";
        private static readonly Logger _authLogger = LogManager.GetLogger("Auth");
        private readonly IUserService _userService;

-        private static string API_KEY;
        private static AuthenticationType AUTH_METHOD;

        public AuthenticationService(IConfigFileProvider configFileProvider, IUserService userService)
        {
            _userService = userService;
-            API_KEY = configFileProvider.ApiKey;
            AUTH_METHOD = configFileProvider.AuthenticationMethod;
        }

--- a/src/Radarr.Http/Authentication/BypassableDenyAnonymousAuthorizationRequirement.cs
+++ b/src/Radarr.Http/Authentication/BypassableDenyAnonymousAuthorizationRequirement.cs
@@ -0,0 +1,8 @@
+using Microsoft.AspNetCore.Authorization.Infrastructure;
+
+namespace NzbDrone.Http.Authentication
+{
+    public class BypassableDenyAnonymousAuthorizationRequirement : DenyAnonymousAuthorizationRequirement
+    {
+    }
+}
--- a/src/Radarr.Http/Authentication/UiAuthorizationHandler.cs
+++ b/src/Radarr.Http/Authentication/UiAuthorizationHandler.cs
@@ -0,0 +1,45 @@
+using System.Net;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Http;
+using NzbDrone.Common.Extensions;
+using NzbDrone.Core.Authentication;
+using NzbDrone.Core.Configuration;
+using NzbDrone.Core.Configuration.Events;
+using NzbDrone.Core.Messaging.Events;
+using Radarr.Http.Extensions;
+
+namespace NzbDrone.Http.Authentication
+{
+    public class UiAuthorizationHandler : AuthorizationHandler<BypassableDenyAnonymousAuthorizationRequirement>, IAuthorizationRequirement, IHandle<ConfigSavedEvent>
+    {
+        private readonly IConfigFileProvider _configService;
+        private static AuthenticationRequiredType _authenticationRequired;
+
+        public UiAuthorizationHandler(IConfigFileProvider configService)
+        {
+            _configService = configService;
+            _authenticationRequired = configService.AuthenticationRequired;
+        }
+
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, BypassableDenyAnonymousAuthorizationRequirement requirement)
+        {
+            if (_authenticationRequired == AuthenticationRequiredType.DisabledForLocalAddresses)
+            {
+                if (context.Resource is HttpContext httpContext &&
+                    IPAddress.TryParse(httpContext.GetRemoteIP(), out var ipAddress) &&
+                    ipAddress.IsLocalAddress())
+                {
+                    context.Succeed(requirement);
+                }
+            }
+
+            return Task.CompletedTask;
+        }
+
+        public void Handle(ConfigSavedEvent message)
+        {
+            _authenticationRequired = _configService.AuthenticationRequired;
+        }
+    }
+}
--- a/src/Radarr.Http/Authentication/UiAuthorizationPolicyProvider.cs
+++ b/src/Radarr.Http/Authentication/UiAuthorizationPolicyProvider.cs
@@ -29,7 +29,8 @@ namespace NzbDrone.Http.Authentication
            if (policyName.Equals(POLICY_NAME, StringComparison.OrdinalIgnoreCase))
            {
                var policy = new AuthorizationPolicyBuilder(_config.AuthenticationMethod.ToString())
-                    .RequireAuthenticatedUser();
+                    .AddRequirements(new BypassableDenyAnonymousAuthorizationRequirement());
+
                return Task.FromResult(policy.Build());
            }