Added user invite system (#351)

* Added user invite system

* Added user invite system

* Revert recent migrations and try again

* stopped implicitly assigning token variables

* Added correct context to migrations

* Apply suggestions from code review

Some grammar changes, etc.

Co-authored-by: Jayden <jvyden@jvyden.xyz>

* Updated the API key page

* Removed enabled field from APIKey

* Removed reference to APIKey.Enabled

* Add creation guide text

* Fix this.Forbid() usage

Causes an exception on my machine for some reason, always has.

* Fix more forbid usages

* Return 404 if trying to generate token when private registration is disabled

* Capture authentication schema more cleanly

Co-authored-by: Jayden <jvyden@jvyden.xyz>

ProjectLighthouse.Servers.API/Controllers/UserEndpoints.cs

@@ -1,6 +1,7 @@
 #nullable enable
 using LBPUnion.ProjectLighthouse.PlayerData.Profiles;
-using LBPUnion.ProjectLighthouse.Types;
+using LBPUnion.ProjectLighthouse.PlayerData;
+using LBPUnion.ProjectLighthouse.Helpers;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 
@@ -54,4 +55,33 @@ public class UserEndpoints : ApiEndpointController
 
         return this.Ok(userStatus);
     }
+
+    [HttpPost("user/inviteToken")]
+    public async Task<IActionResult> CreateUserInviteToken()
+    {
+        if (Configuration.ServerConfiguration.Instance.Authentication.PrivateRegistration ||
+            Configuration.ServerConfiguration.Instance.Authentication.RegistrationEnabled)
+        {
+
+            string authHeader = this.Request.Headers["Authorization"];
+            if (!string.IsNullOrWhiteSpace(authHeader))
+            {
+                string authToken = authHeader.Substring(authHeader.IndexOf(' ') + 1);
+
+                APIKey? apiKey = await this.database.APIKeys.FirstOrDefaultAsync(k => k.Key == authToken);
+                if (apiKey == null) return this.StatusCode(403, null);
+
+                RegistrationToken token = new();
+                token.Created = DateTime.Now;
+                token.Token = CryptoHelper.GenerateAuthToken();
+
+                this.database.RegistrationTokens.Add(token);
+                await this.database.SaveChangesAsync();
+
+                return Ok(token.Token);
+            }
+
+        }
+        return this.NotFound();
+    }
 }

ProjectLighthouse.Servers.Website/Pages/Admin/AdminAPIKeyPage.cshtml

@@ -0,0 +1,56 @@
+@page "/admin/keys"
+
+@using LBPUnion.ProjectLighthouse.PlayerData
+@model LBPUnion.ProjectLighthouse.Servers.Website.Pages.Admin.AdminAPIKeyPageModel
+@{
+    Layout = "Layouts/BaseLayout";
+    Model.Title = "API Keys";
+}
+
+@inject Microsoft.AspNetCore.Antiforgery.IAntiforgery Antiforgery
+@{
+    var token = Antiforgery.GetAndStoreTokens(HttpContext).RequestToken;
+}
+
+<script>function deleteKey(keyID) {
+        document.getElementById("trashbutton-".concat(keyID)).classList.add('loading');
+        fetch("@Url.RouteUrl(ViewContext.RouteData.Values)", {
+            method: 'post',
+            headers: {
+                "Content-type": "application/x-www-form-urlencoded; charset=UTF-8"
+            },
+            credentials: 'same-origin',
+            body: 'keyID='.concat(keyID).concat("&__RequestVerificationToken=@token")
+        })
+            .then(function (data) {
+                document.getElementById("keyitem-".concat(keyID)).remove();
+                window.location.reload(true);
+            })
+            .catch(function (error) {
+                console.log('Request failed', error);
+            });
+
+    }</script>
+
+<p>There are <b>@Model.KeyCount</b> API keys registered.</p>
+@if (Model.KeyCount == 0)
+{
+    <p>To create one, you can use the "Create API key" command in the admin panel.</p>
+}
+
+<div class="ui four column grid">
+    @foreach (APIKey key in Model.APIKeys)
+    {
+        <div id="keyitem-@key.Id" class="five wide column">
+            <div class="ui blue segment">
+                <div class="ui tiny bottom left attached label">
+                    Created at: @key.Created.ToString()
+                </div>
+                <button id="trashbutton-@key.Id" class="right floated circular ui icon button" onclick="deleteKey(@key.Id);">
+                    <i class="trash can icon"></i>
+                </button>
+                <h2>@key.Description</h2>
+            </div>
+        </div>
+    }
+</div>

ProjectLighthouse.Servers.Website/Pages/Admin/AdminAPIKeyPage.cshtml.cs

@@ -0,0 +1,43 @@
+using LBPUnion.ProjectLighthouse.Servers.Website.Pages.Layouts;
+using LBPUnion.ProjectLighthouse.PlayerData;
+using LBPUnion.ProjectLighthouse.PlayerData.Profiles;
+using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
+
+namespace LBPUnion.ProjectLighthouse.Servers.Website.Pages.Admin
+{
+    public class AdminAPIKeyPageModel : BaseLayout
+    {
+        public List<APIKey> APIKeys = new();
+        public int KeyCount;
+
+        public AdminAPIKeyPageModel(Database database) : base(database)
+        { }
+
+        public async Task<IActionResult> OnGet()
+        {
+            User? user = this.Database.UserFromWebRequest(this.Request);
+            if (user == null) return this.Redirect("~/login");
+            if (!user.IsAdmin) return this.NotFound();
+
+            this.APIKeys = await this.Database.APIKeys.OrderByDescending(k => k.Id).ToListAsync();
+            this.KeyCount = this.APIKeys.Count;
+
+            return this.Page();
+        }
+
+        public async Task<IActionResult> OnPost(string keyID)
+        {
+            User? user = this.Database.UserFromWebRequest(this.Request);
+            if (user == null || !user.IsAdmin) return this.NotFound();
+
+            APIKey? apiKey = await this.Database.APIKeys.FirstOrDefaultAsync(k => k.Id == int.Parse(keyID));
+            if (apiKey == null) return this.NotFound();
+            this.Database.APIKeys.Remove(apiKey);
+            await this.Database.SaveChangesAsync();
+
+            return this.Page();
+        }
+
+    }
+}

ProjectLighthouse.Servers.Website/Pages/Admin/AdminPanelPage.cshtml.cs

@@ -31,6 +31,7 @@ public class AdminPanelPage : BaseLayout
         this.Statistics.Add(new AdminPanelStatistic("Slots", await StatisticsHelper.SlotCount()));
         this.Statistics.Add(new AdminPanelStatistic("Photos", await StatisticsHelper.PhotoCount()));
         this.Statistics.Add(new AdminPanelStatistic("Reports", await StatisticsHelper.ReportCount(), "reports/0"));
+        this.Statistics.Add(new AdminPanelStatistic("API Keys", await StatisticsHelper.APIKeyCount(), "keys"));
 
         if (!string.IsNullOrEmpty(command))
         {

ProjectLighthouse.Servers.Website/Pages/RegisterForm.cshtml.cs

@@ -23,7 +23,22 @@ public class RegisterForm : BaseLayout
     [SuppressMessage("ReSharper", "SpecifyStringComparison")]
     public async Task<IActionResult> OnPost(string username, string password, string confirmPassword, string emailAddress)
     {
-        if (!ServerConfiguration.Instance.Authentication.RegistrationEnabled) return this.NotFound();
+        if (ServerConfiguration.Instance.Authentication.PrivateRegistration)
+        {
+            if (this.Request.Query.ContainsKey("token"))
+            {
+                if (!this.Database.IsRegistrationTokenValid(this.Request.Query["token"]))
+                    return this.StatusCode(403, "Invalid Token");
+            }
+            else
+            {
+                return this.NotFound();
+            }
+        }
+        else if (!ServerConfiguration.Instance.Authentication.RegistrationEnabled)
+        {
+            return this.NotFound();
+        }
 
         if (string.IsNullOrWhiteSpace(username))
         {
@@ -68,6 +83,11 @@ public class RegisterForm : BaseLayout
             return this.Page();
         }
 
+        if (this.Request.Query.ContainsKey("token"))
+        {
+            await Database.RemoveRegistrationToken(this.Request.Query["token"]);
+        }
+
         User user = await this.Database.CreateUser(username, CryptoHelper.BCryptHash(password), emailAddress);
 
         WebToken webToken = new()
@@ -91,7 +111,22 @@ public class RegisterForm : BaseLayout
     public IActionResult OnGet()
     {
         this.Error = string.Empty;
-        if (!ServerConfiguration.Instance.Authentication.RegistrationEnabled) return this.NotFound();
+        if (ServerConfiguration.Instance.Authentication.PrivateRegistration)
+        {
+            if (this.Request.Query.ContainsKey("token"))
+            {
+                if (!this.Database.IsRegistrationTokenValid(this.Request.Query["token"]))
+                    return this.StatusCode(403, "Invalid Token");
+            }
+            else
+            {
+                return this.NotFound();
+            }
+        }
+        else if (!ServerConfiguration.Instance.Authentication.RegistrationEnabled)
+        {
+            return this.NotFound();
+        }
 
         return this.Page();
     }

ProjectLighthouse/Administration/Maintenance/Commands/CreateAPIKeyCommand.cs

@@ -0,0 +1,34 @@
+using System;
+using System.Threading.Tasks;
+using LBPUnion.ProjectLighthouse.Logging;
+using LBPUnion.ProjectLighthouse.PlayerData;
+using LBPUnion.ProjectLighthouse.Helpers;
+
+namespace LBPUnion.ProjectLighthouse.Administration.Maintenance.Commands
+{
+    public class CreateAPIKeyCommand : ICommand
+    {
+        public string Name() => "Create API Key";
+        public string[] Aliases() => new[] { "createAPIKey", };
+        public string Arguments() => "<description>";
+        public int RequiredArgs() => 1;
+
+        public async Task Run(string[] args, Logger logger)
+        {
+            APIKey key = new();
+            key.Description = args[0];
+            if (string.IsNullOrWhiteSpace(key.Description))
+            {
+                key.Description = "<no description specified>";
+            }
+            key.Key = CryptoHelper.GenerateAuthToken();
+            key.Created = DateTime.Now;
+            Database database = new();
+            await database.APIKeys.AddAsync(key);
+            await database.SaveChangesAsync();
+            logger.LogSuccess($"The API key has been created (id: {key.Id}), however for security the token will only be shown once.", LogArea.Command);
+            logger.LogInfo($"Key: {key.Key}", LogArea.Command);
+        }
+    }
+}
+

ProjectLighthouse/Configuration/ConfigurationCategories/AuthenticationConfiguration.cs

@@ -8,5 +8,6 @@ public class AuthenticationConfiguration
     public bool BlockDeniedUsers { get; set; }
 
     public bool RegistrationEnabled { get; set; } = true;
+    public bool PrivateRegistration { get; set; } = false;
     public bool UseExternalAuth { get; set; }
 }

ProjectLighthouse/Configuration/ServerConfiguration.cs

@@ -23,7 +23,7 @@ public class ServerConfiguration
     // You can use an ObsoleteAttribute instead. Make sure you set it to error, though.
     //
     // Thanks for listening~
-    public const int CurrentConfigVersion = 5;
+    public const int CurrentConfigVersion = 6;
 
     #region Meta
 

ProjectLighthouse/Database.cs

@@ -47,6 +47,8 @@ public class Database : DbContext
     public DbSet<EmailVerificationToken> EmailVerificationTokens { get; set; }
     public DbSet<EmailSetToken> EmailSetTokens { get; set; }
     public DbSet<PasswordResetToken> PasswordResetTokens { get; set; }
+    public DbSet<RegistrationToken> RegistrationTokens { get; set; }
+    public DbSet<APIKey> APIKeys { get; set; }
 
     protected override void OnConfiguring(DbContextOptionsBuilder options)
         => options.UseMySql(ServerConfiguration.Instance.DbConnectionString, MySqlServerVersion.LatestSupportedServerVersion);
@@ -357,10 +359,6 @@ public class Database : DbContext
         return this.WebTokens.FirstOrDefault(t => t.UserToken == lighthouseToken);
     }
 
-    #endregion
-
-    #region Password Reset Token
-
     public async Task<User?> UserFromPasswordResetToken(string resetToken)
     {
 
@@ -378,6 +376,32 @@ public class Database : DbContext
         return await this.Users.FirstOrDefaultAsync(user => user.UserId == token.UserId);
     }
 
+    public bool IsRegistrationTokenValid(string tokenString)
+    {
+        RegistrationToken? token = this.RegistrationTokens.FirstOrDefault(t => t.Token == tokenString);
+
+        if (token == null) return false;
+
+        if (token.Created < DateTime.Now.AddDays(-7)) // if token is expired
+        {
+            this.RegistrationTokens.Remove(token);
+            return false;
+        }
+
+        return true;
+    }
+
+    public async Task RemoveRegistrationToken(string tokenString)
+    {
+        RegistrationToken? token = await this.RegistrationTokens.FirstOrDefaultAsync(t => t.Token == tokenString);
+
+        if (token == null) return;
+
+        this.RegistrationTokens.Remove(token);
+
+        await this.SaveChangesAsync();
+    }
+
     #endregion
 
     public async Task<Photo?> PhotoFromSubject(PhotoSubject subject)

ProjectLighthouse/Helpers/StatisticsHelper.cs

@@ -25,4 +25,6 @@ public static class StatisticsHelper
     public static async Task<int> PhotoCount() => await database.Photos.CountAsync();
 
     public static async Task<int> ReportCount() => await database.Reports.CountAsync();
+
+    public static async Task<int> APIKeyCount() => await database.APIKeys.CountAsync();
 }

ProjectLighthouse/Migrations/20220715222906_UserInvite.cs

@@ -0,0 +1,62 @@
+using System;
+using Microsoft.EntityFrameworkCore.Metadata;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using LBPUnion.ProjectLighthouse;
+
+#nullable disable
+
+namespace ProjectLighthouse.Migrations
+{
+    [DbContext(typeof(Database))]
+    [Migration("20220715222906_UserInvite")]
+    public partial class UserInvite : Migration
+    {
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.CreateTable(
+                name: "APIKeys",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "int", nullable: false)
+                        .Annotation("MySql:ValueGenerationStrategy", MySqlValueGenerationStrategy.IdentityColumn),
+                    Description = table.Column<string>(type: "longtext", nullable: true)
+                        .Annotation("MySql:CharSet", "utf8mb4"),
+                    Key = table.Column<string>(type: "longtext", nullable: true)
+                        .Annotation("MySql:CharSet", "utf8mb4"),
+                    Created = table.Column<DateTime>(type: "datetime(6)", nullable: false),
+                    Enabled = table.Column<bool>(type: "tinyint(1)", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_APIKeys", x => x.Id);
+                })
+                .Annotation("MySql:CharSet", "utf8mb4");
+
+            migrationBuilder.CreateTable(
+                name: "RegistrationTokens",
+                columns: table => new
+                {
+                    TokenId = table.Column<int>(type: "int", nullable: false)
+                        .Annotation("MySql:ValueGenerationStrategy", MySqlValueGenerationStrategy.IdentityColumn),
+                    Token = table.Column<string>(type: "longtext", nullable: true)
+                        .Annotation("MySql:CharSet", "utf8mb4"),
+                    Created = table.Column<DateTime>(type: "datetime(6)", nullable: false)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_RegistrationTokens", x => x.TokenId);
+                })
+                .Annotation("MySql:CharSet", "utf8mb4");
+        }
+
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "APIKeys");
+
+            migrationBuilder.DropTable(
+                name: "RegistrationTokens");
+        }
+    }
+}

ProjectLighthouse/Migrations/20220716234844_RemovedAPIKeyEnabled.cs

@@ -0,0 +1,29 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+using LBPUnion.ProjectLighthouse;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+#nullable disable
+
+namespace ProjectLighthouse.Migrations
+{
+    [DbContext(typeof(Database))]
+    [Migration("20220716234844_RemovedAPIKeyEnabled")]
+    public partial class RemovedAPIKeyEnabled : Migration
+    {
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropColumn(
+                name: "Enabled",
+                table: "APIKeys");
+        }
+
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AddColumn<bool>(
+                name: "Enabled",
+                table: "APIKeys",
+                type: "tinyint(1)",
+                nullable: false,
+                defaultValue: false);
+        }
+    }
+}

ProjectLighthouse/Migrations/DatabaseModelSnapshot.cs

@@ -16,7 +16,7 @@ namespace ProjectLighthouse.Migrations
         {
 #pragma warning disable 612, 618
             modelBuilder
-                .HasAnnotation("ProductVersion", "6.0.6")
+                .HasAnnotation("ProductVersion", "6.0.7")
                 .HasAnnotation("Relational:MaxIdentifierLength", 64);
 
             modelBuilder.Entity("LBPUnion.ProjectLighthouse.Administration.CompletedMigration", b =>
@@ -331,6 +331,26 @@ namespace ProjectLighthouse.Migrations
                     b.ToTable("VisitedLevels");
                 });
 
+            modelBuilder.Entity("LBPUnion.ProjectLighthouse.PlayerData.APIKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Description")
+                        .HasColumnType("longtext");
+
+                    b.Property<string>("Key")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("APIKeys");
+                });
+
             modelBuilder.Entity("LBPUnion.ProjectLighthouse.PlayerData.AuthenticationAttempt", b =>
                 {
                     b.Property<int>("AuthenticationAttemptId")
@@ -702,6 +722,23 @@ namespace ProjectLighthouse.Migrations
                     b.ToTable("Reactions");
                 });
 
+            modelBuilder.Entity("LBPUnion.ProjectLighthouse.PlayerData.RegistrationToken", b =>
+                {
+                    b.Property<int>("TokenId")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("int");
+
+                    b.Property<DateTime>("Created")
+                        .HasColumnType("datetime(6)");
+
+                    b.Property<string>("Token")
+                        .HasColumnType("longtext");
+
+                    b.HasKey("TokenId");
+
+                    b.ToTable("RegistrationTokens");
+                });
+
             modelBuilder.Entity("LBPUnion.ProjectLighthouse.PlayerData.Reviews.RatedReview", b =>
                 {
                     b.Property<int>("RatedReviewId")

ProjectLighthouse/PlayerData/APIKey.cs

@@ -0,0 +1,19 @@
+
+using System;
+using System.ComponentModel.DataAnnotations;
+
+namespace LBPUnion.ProjectLighthouse.PlayerData
+{
+    public class APIKey
+    {
+        [Key]
+        public int Id { get; set; }
+
+        public string Description { get; set; }
+
+        public string Key { get; set; }
+
+        public DateTime Created { get; set; }
+    }
+}
+

ProjectLighthouse/PlayerData/RegistrationToken.cs

@@ -0,0 +1,16 @@
+using System;
+using System.ComponentModel.DataAnnotations;
+
+namespace LBPUnion.ProjectLighthouse.PlayerData
+{
+    public class RegistrationToken
+    {
+        [Key]
+        public int TokenId { get; set; }
+
+        public string Token { get; set; }
+
+        public DateTime Created { get; set; }
+    }
+}
+