From c5b12d074eb30f4305c243ba98d1ae89f145ae68 Mon Sep 17 00:00:00 2001
From: ta264 <ta264@users.noreply.github.com>
Date: Sun, 19 Jun 2022 10:29:29 +0100
Subject: [PATCH] Add explicit ApiKey requirement for ApiKey auth

(cherry picked from commit 8a3a998243e888e8f27c609f4bace5b42ad7ec50)
---
 src/NzbDrone.Host/Startup.cs                  |  7 ++-----
 .../Authentication/ApiKeyRequirement.cs       | 20 +++++++++++++++++++
 2 files changed, 22 insertions(+), 5 deletions(-)
 create mode 100644 src/Radarr.Http/Authentication/ApiKeyRequirement.cs

diff --git a/src/NzbDrone.Host/Startup.cs b/src/NzbDrone.Host/Startup.cs
index 8b62d1ac5f..5b8aed0587 100644
--- a/src/NzbDrone.Host/Startup.cs
+++ b/src/NzbDrone.Host/Startup.cs
@@ -177,20 +177,17 @@ namespace NzbDrone.Host
             services.AddDataProtection()
                 .PersistKeysToFileSystem(new DirectoryInfo(Configuration["dataProtectionFolder"]));
 
-            services.AddSingleton<IAuthorizationPolicyProvider, UiAuthorizationPolicyProvider>();
-            services.AddSingleton<IAuthorizationHandler, UiAuthorizationHandler>();
-
             services.AddAuthorization(options =>
             {
                 options.AddPolicy("SignalR", policy =>
                 {
                     policy.AuthenticationSchemes.Add("SignalR");
-                    policy.RequireAuthenticatedUser();
+                    policy.Requirements.Add(new ApiKeyRequirement());
                 });
 
                 // Require auth on everything except those marked [AllowAnonymous]
                 options.FallbackPolicy = new AuthorizationPolicyBuilder("API")
-                .RequireAuthenticatedUser()
+                .AddRequirements(new ApiKeyRequirement())
                 .Build();
             });
 
diff --git a/src/Radarr.Http/Authentication/ApiKeyRequirement.cs b/src/Radarr.Http/Authentication/ApiKeyRequirement.cs
new file mode 100644
index 0000000000..abe096ce93
--- /dev/null
+++ b/src/Radarr.Http/Authentication/ApiKeyRequirement.cs
@@ -0,0 +1,20 @@
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authorization;
+
+namespace NzbDrone.Http.Authentication
+{
+    public class ApiKeyRequirement : AuthorizationHandler<ApiKeyRequirement>, IAuthorizationRequirement
+    {
+        protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, ApiKeyRequirement requirement)
+        {
+            var apiKeyClaim = context.User.FindFirst(c => c.Type == "ApiKey");
+
+            if (apiKeyClaim != null)
+            {
+                context.Succeed(requirement);
+            }
+
+            return Task.CompletedTask;
+        }
+    }
+}