Merge pull request #2329 from sky1045/feature/jwt

Introduce JWT Authentication for GraphQL(Optional)

NineChronicles.Headless.Executable/appsettings.json

@@ -128,5 +128,10 @@
         "ManagementTimeMinutes": 60,
         "TxIntervalMinutes": 60,
         "ThresholdCount": 29
+    },
+    "Jwt": {
+        "EnableJwtAuthentication": false,
+        "Key": "secretKey",
+        "Issuer": "planetariumhq.com"
     }
 }

NineChronicles.Headless/GraphQLService.cs

@@ -13,7 +13,6 @@
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Hosting;
-using Microsoft.Extensions.Options;
 using NineChronicles.Headless.GraphTypes;
 using NineChronicles.Headless.Middleware;
 using NineChronicles.Headless.Properties;
@@ -25,6 +24,8 @@ public class GraphQLService
     {
         public const string LocalPolicyKey = "LocalPolicy";
 
+        public const string JwtPolicyKey = "JwtPolicy";
+
         public const string NoCorsPolicyName = "AllowAllOrigins";
 
         public const string SecretTokenKey = "secret";
@@ -129,6 +130,13 @@ public void ConfigureServices(IServiceCollection services)
                     services.Configure<MultiAccountManagerProperties>(Configuration.GetSection("MultiAccountManaging"));
                 }
 
+                var jwtOptions = Configuration.GetSection("Jwt");
+                if (Convert.ToBoolean(jwtOptions["EnableJwtAuthentication"]))
+                {
+                    services.Configure<JwtOptions>(jwtOptions);
+                    services.AddTransient<JwtAuthenticationMiddleware>();
+                }
+
                 if (!(Configuration[NoCorsKey] is null))
                 {
                     services.AddCors(
@@ -161,12 +169,19 @@ public void ConfigureServices(IServiceCollection services)
                     .AddLibplanetExplorer()
                     .AddUserContextBuilder<UserContextBuilder>()
                     .AddGraphQLAuthorization(
-                        options => options.AddPolicy(
-                            LocalPolicyKey,
-                            p =>
-                                p.RequireClaim(
-                                    "role",
-                                    "Admin")));
+                        options =>
+                        {
+                            options.AddPolicy(
+                                LocalPolicyKey,
+                                p =>
+                                    p.RequireClaim(
+                                        "role",
+                                        "Admin"));
+                            options.AddPolicy(
+                                JwtPolicyKey,
+                                p =>
+                                    p.RequireClaim("iss", jwtOptions["Issuer"]));
+                        });
                 services.AddGraphTypes();
             }
 
@@ -190,6 +205,11 @@ public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
                 app.UseMiddleware<HttpCaptureMiddleware>();
 
                 app.UseMiddleware<LocalAuthenticationMiddleware>();
+                if (Convert.ToBoolean(Configuration.GetSection("Jwt")["EnableJwtAuthentication"]))
+                {
+                    app.UseMiddleware<JwtAuthenticationMiddleware>();
+                }
+
                 if (Configuration[NoCorsKey] is null)
                 {
                     app.UseCors();

NineChronicles.Headless/GraphTypes/StandaloneMutation.cs

@@ -28,6 +28,10 @@ IConfiguration configuration
             {
                 this.AuthorizeWith(GraphQLService.LocalPolicyKey);
             }
+            else if (Convert.ToBoolean(configuration.GetSection("Jwt")["EnableJwtAuthentication"]))
+            {
+                this.AuthorizeWith(GraphQLService.JwtPolicyKey);
+            }
 
             Field<KeyStoreMutation>(
                 name: "keyStore",

NineChronicles.Headless/GraphTypes/StandaloneQuery.cs

@@ -31,6 +31,10 @@ public class StandaloneQuery : ObjectGraphType
         public StandaloneQuery(StandaloneContext standaloneContext, IConfiguration configuration, ActionEvaluationPublisher publisher, StateMemoryCache stateMemoryCache)
         {
             bool useSecretToken = configuration[GraphQLService.SecretTokenKey] is { };
+            if (Convert.ToBoolean(configuration.GetSection("Jwt")["EnableJwtAuthentication"]))
+            {
+                this.AuthorizeWith(GraphQLService.JwtPolicyKey);
+            }
 
             Field<NonNullGraphType<StateQuery>>(name: "stateQuery", arguments: new QueryArguments(
                 new QueryArgument<ByteStringType>

NineChronicles.Headless/GraphTypes/StandaloneSubscription.cs

@@ -26,6 +26,7 @@
 using Libplanet.Blockchain;
 using Libplanet.Store;
 using Libplanet.Types.Tx;
+using Microsoft.Extensions.Configuration;
 using Serilog;
 
 namespace NineChronicles.Headless.GraphTypes
@@ -129,9 +130,17 @@ public PreloadStateType()
 
         private StandaloneContext StandaloneContext { get; }
 
-        public StandaloneSubscription(StandaloneContext standaloneContext)
+        private IConfiguration Configuration { get; }
+
+        public StandaloneSubscription(StandaloneContext standaloneContext, IConfiguration configuration)
         {
             StandaloneContext = standaloneContext;
+            Configuration = configuration;
+            if (Convert.ToBoolean(configuration.GetSection("Jwt")["EnableJwtAuthentication"]))
+            {
+                this.AuthorizeWith(GraphQLService.JwtPolicyKey);
+            }
+
             AddField(new EventStreamFieldType
             {
                 Name = "tipChanged",

NineChronicles.Headless/Middleware/JwtAuthenticationMiddleware.cs

@@ -0,0 +1,85 @@
+using System;
+using System.IdentityModel.Tokens.Jwt;
+using System.Linq;
+using System.Security.Claims;
+using System.Text;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Http;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Primitives;
+using Microsoft.IdentityModel.Tokens;
+using Newtonsoft.Json;
+using Serilog;
+
+namespace NineChronicles.Headless.Middleware;
+
+public class JwtAuthenticationMiddleware : IMiddleware
+{
+    private readonly ILogger _logger;
+    private readonly JwtSecurityTokenHandler _tokenHandler = new JwtSecurityTokenHandler();
+    private readonly TokenValidationParameters _validationParams;
+
+    public JwtAuthenticationMiddleware(IConfiguration configuration)
+    {
+        _logger = Log.Logger.ForContext<JwtAuthenticationMiddleware>();
+        var jwtConfig = configuration.GetSection("Jwt");
+        var issuer = jwtConfig["Issuer"] ?? "";
+        var key = jwtConfig["Key"] ?? "";
+        _validationParams = new TokenValidationParameters
+        {
+            ValidateIssuer = true,
+            ValidateAudience = false,
+            ValidateLifetime = true,
+            ValidateIssuerSigningKey = true,
+            ValidIssuer = issuer,
+            IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(key.PadRight(512 / 8, '\0')))
+        };
+    }
+
+    public async Task InvokeAsync(HttpContext context, RequestDelegate next)
+    {
+        context.Request.Headers.TryGetValue("Authorization", out var authorization);
+        if (authorization.Count > 0)
+        {
+            try
+            {
+                var (scheme, token) = ExtractSchemeAndToken(authorization);
+                if (scheme == "Bearer")
+                {
+                    ValidateTokenAndAddClaims(context, token);
+                }
+            }
+            catch (Exception e)
+            {
+                _logger.Error($"Authorization error {e.Message}");
+                context.Response.StatusCode = 401;
+                context.Response.ContentType = "application/json";
+                await context.Response.WriteAsync(
+                    JsonConvert.SerializeObject(
+                        new { errpr = e.Message }
+                        ));
+                return;
+            }
+        }
+        await next(context);
+    }
+
+    private (string scheme, string token) ExtractSchemeAndToken(StringValues authorizationHeader)
+    {
+        var headerValues = authorizationHeader[0].Split(" ");
+        if (headerValues.Length < 2)
+        {
+            throw new ArgumentException("Invalid Authorization header format.");
+        }
+
+        return (headerValues[0], headerValues[1]);
+    }
+
+    private void ValidateTokenAndAddClaims(HttpContext context, string token)
+    {
+        _tokenHandler.ValidateToken(token, _validationParams, out SecurityToken validatedToken);
+        var jwt = (JwtSecurityToken)validatedToken;
+        var claims = jwt.Claims.Select(claim => new Claim(claim.Type, claim.Value));
+        context.User.AddIdentity(new ClaimsIdentity(claims));
+    }
+}

NineChronicles.Headless/NineChronicles.Headless.csproj

@@ -39,6 +39,7 @@
     <PackageReference Include="MagicOnion.Abstractions" Version="5.0.3" />
     <PackageReference Include="MagicOnion.Server" Version="5.0.3" />
     <PackageReference Include="MagicOnion.Server.HttpGateway" Version="5.0.3" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="6.0.25" />
     <PackageReference Include="Microsoft.Data.Sqlite" Version="7.0.11" />
     <PackageReference Include="Newtonsoft.Json" Version="13.0.2" />
     <PackageReference Include="NRedisStack" Version="0.9.0" />

NineChronicles.Headless/Properties/JwtOptions.cs

@@ -0,0 +1,10 @@
+namespace NineChronicles.Headless.Properties;
+
+public class JwtOptions
+{
+    public bool EnableJwtAuthentication { get; }
+
+    public string Key { get; } = "";
+
+    public string Issuer { get; } = "planetariumhq.com";
+}