Events added

Author: mihirdilip

src/AspNetCore.Authentication.Basic/AspNetCore.Authentication.Basic.csproj

@@ -8,7 +8,10 @@
     <PackageTags>aspnetcore, security, authentication, microsoft, microsoft.aspnetcore.authentication, microsoft-aspnetcore-authentication, microsoft.aspnetcore.authentication.basic, microsoft-aspnetcore-authentication-basic, asp-net-core, netstandard, netstandard20, basic-authentication, basicauthentication, dotnetcore, dotnetcore3.1, asp-net-core-basic-authentication, aspnetcore-basic-authentication, asp-net-core-authentication, aspnetcore-authentication, asp, aspnet, basic, authentication-scheme</PackageTags>
     <PackageReleaseNotes>- Multitarget framework support added
 - Source Link support added
-- Strong Name Key support added</PackageReleaseNotes>
+- Strong Name Key support added
+- SuppressWWWAuthenticateHeader added to configure options
+- Events added to configure options
+    </PackageReleaseNotes>
     <Description>Easy to use and very light weight Microsoft style Basic Scheme Authentication implementation for ASP.NET Core.</Description>
     <Authors>Mihir Dilip</Authors>
     <Company>Mihir Dilip</Company>

src/AspNetCore.Authentication.Basic/BasicExtensions.cs

@@ -23,11 +23,11 @@ public static class BasicExtensions
 		public static AuthenticationBuilder AddBasic<TBasicUserValidationService>(this AuthenticationBuilder builder, Action<BasicOptions> configureOptions)
 			where TBasicUserValidationService : class, IBasicUserValidationService
 		{
-			// Adds post configure options to the pipeline.
-			builder.Services.AddSingleton<IPostConfigureOptions<BasicOptions>, BasicPostConfigureOptions>();
-
 			// Adds implementation of IBasicUserValidationService to the dependency container.
 			builder.Services.AddTransient<IBasicUserValidationService, TBasicUserValidationService>();
+			
+			// Adds post configure options to the pipeline.
+			builder.Services.AddSingleton<IPostConfigureOptions<BasicOptions>, BasicPostConfigureOptions>();
 
 			// Adds basic authentication scheme to the pipeline.
 			return builder.AddScheme<BasicOptions, BasicHandler>(BasicDefaults.AuthenticationScheme, configureOptions);

src/AspNetCore.Authentication.Basic/BasicHandler.cs

@@ -14,10 +14,10 @@
 
 namespace AspNetCore.Authentication.Basic
 {
-	/// <summary>
-	/// Inherited from <see cref="AuthenticationHandler{TOptions}"/> for basic authentication.
-	/// </summary>
-	public class BasicHandler : AuthenticationHandler<BasicOptions>
+    /// <summary>
+    /// Inherited from <see cref="AuthenticationHandler{TOptions}"/> for basic authentication.
+    /// </summary>
+    internal class BasicHandler : AuthenticationHandler<BasicOptions>
 	{
 		private readonly IBasicUserValidationService _basicUserValidationService;
 
@@ -32,76 +32,231 @@ public class BasicHandler : AuthenticationHandler<BasicOptions>
 		public BasicHandler(IOptionsMonitor<BasicOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock, IBasicUserValidationService basicUserValidationService) 
 			: base(options, logger, encoder, clock)
 		{
-			_basicUserValidationService = basicUserValidationService;
+			_basicUserValidationService = basicUserValidationService ?? throw new ArgumentNullException(nameof(basicUserValidationService));
 		}
 
 		private string Challenge => $"{BasicDefaults.AuthenticationScheme} realm=\"{Options.Realm}\", charset=\"UTF-8\"";
 
-		//protected new BasicEvents Events { get => (BasicEvents)base.Events; set => base.Events = value; }
-		//protected override Task<object> CreateEventsAsync() => Task.FromResult<object>(new BasicEvents());
+		/// <summary>
+		/// Get or set <see cref="BasicEvents"/>.
+		/// </summary>
+        protected new BasicEvents Events { get => (BasicEvents)base.Events; set => base.Events = value; }
 
 		/// <summary>
-		/// Searches the 'Authorization' header for 'Basic' scheme with base64 encoded username:password string value of which is validated using implementation of <see cref="IBasicUserValidationService"/> passed as type parameter when setting up basic authentication in the Startup.cs 
+		/// Create an instance of <see cref="BasicEvents"/>.
 		/// </summary>
 		/// <returns></returns>
+		protected override Task<object> CreateEventsAsync() => Task.FromResult<object>(new BasicEvents());
+
+		/// <summary>
+		/// Searches the 'Authorization' header for 'Basic' scheme with base64 encoded username:password string value of which is validated using implementation of <see cref="IBasicUserValidationService"/> passed as type parameter when setting up basic authentication in the Startup.cs 
+		/// </summary>
+		/// <returns><see cref="AuthenticateResult"/></returns>
 		protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
 		{
 			if (!Request.Headers.ContainsKey(HeaderNames.Authorization))
 			{
-				// No 'Authorization' header found in the request.
+				Logger.LogInformation("No 'Authorization' header found in the request.");
 				return AuthenticateResult.NoResult();
 			}
 
 			if (!AuthenticationHeaderValue.TryParse(Request.Headers[HeaderNames.Authorization], out var headerValue))
 			{
-				// No valid 'Authorization' header found in the request.
+				Logger.LogInformation("No valid 'Authorization' header found in the request.");
 				return AuthenticateResult.NoResult();
 			}
-
 
 			if (!headerValue.Scheme.Equals(BasicDefaults.AuthenticationScheme, StringComparison.OrdinalIgnoreCase))
 			{
-				// 'Authorization' header found but the scheme is not a basic scheme.
+				Logger.LogInformation($"'Authorization' header found but the scheme is not a '{BasicDefaults.AuthenticationScheme}' scheme.");
 				return AuthenticateResult.NoResult();
 			}
 
-			// Convert the base64 encoded 'username:password' to normal string and parse username and password from colon(:) separated string.
-			var usernameAndPassword = Encoding.UTF8.GetString(Convert.FromBase64String(headerValue.Parameter));
-			var usernameAndPasswordSplit = usernameAndPassword.Split(':');
-			if (usernameAndPasswordSplit.Length != 2)
+			BasicCredentials credentials;
+            try
+            {
+				credentials = DecodeBasicCredentials(headerValue.Parameter);
+			}
+            catch (Exception exception)
+            {
+				return AuthenticateResult.Fail(exception);
+            }
+            
+			try
 			{
-				return AuthenticateResult.Fail("Invalid Basic authentication header");
+				// Raise validate credentials event.
+				// It can either have a result set or a principal set or just a bool? validation result set.
+				var validateCredentialsContext = new BasicValidateCredentialsContext(Context, Scheme, Options, credentials.Username, credentials.Password);
+				await Events.ValidateCredentialsAsync(validateCredentialsContext).ConfigureAwait(false);
+				
+				if (validateCredentialsContext.Result != null)
+                {
+					return validateCredentialsContext.Result;
+                }
+				
+				if (validateCredentialsContext.Principal?.Identity != null && validateCredentialsContext.Principal.Identity.IsAuthenticated)
+				{
+					// If claims principal is set and is authenticated then build a ticket by calling and return success.
+					validateCredentialsContext.Success();
+					return validateCredentialsContext.Result;
+				}
+
+				var hasValidationSucceeded = false;
+				var validationFailureMessage = "Invalid username or password.";
+
+				if (validateCredentialsContext.ValidationResult.HasValue)
+                {
+					hasValidationSucceeded = validateCredentialsContext.ValidationResult.Value;
+
+					// If validation result was not successful return failure.
+					if (!hasValidationSucceeded)
+					{
+						return AuthenticateResult.Fail(
+							validateCredentialsContext.ValidationFailureException ?? new Exception(validationFailureMessage)
+						);
+					}
+				}
+
+				// If validation result was not set then validate using the implementation of IBasicUserValidationService.
+				if (!hasValidationSucceeded)
+                {
+					if (_basicUserValidationService is DefaultBasicUserValidationService)
+                    {
+						throw new InvalidOperationException($"Either {nameof(Options.Events.OnValidateCredentials)} delegate on configure options {nameof(Options.Events)} should be set or an implementaion of {nameof(IBasicUserValidationService)} should be registered in the dependency container.");
+                    }
+					hasValidationSucceeded = await _basicUserValidationService.IsValidAsync(credentials.Username, credentials.Password);
+				}
+
+				// Return fail if validation not succeeded.
+				if (!hasValidationSucceeded)
+				{
+					return AuthenticateResult.Fail(validationFailureMessage);
+				}
+
+				// Create claims principal.
+				var claims = new[] 
+				{
+					new Claim(ClaimTypes.NameIdentifier, credentials.Username, ClaimValueTypes.String, ClaimsIssuer),
+					new Claim(ClaimTypes.Name, credentials.Username, ClaimValueTypes.String, ClaimsIssuer)					
+				};
+				var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, Scheme.Name));
+				
+				// Raise authentication succeeded event.
+				var authenticationSucceededContext = new BasicAuthenticationSucceededContext(Context, Scheme, Options, principal);
+				await Events.AuthenticationSucceededAsync(authenticationSucceededContext).ConfigureAwait(false);
+				
+				if (authenticationSucceededContext.Result != null)
+                {
+					return authenticationSucceededContext.Result;
+                }
+
+				if (authenticationSucceededContext.Principal?.Identity != null && authenticationSucceededContext.Principal.Identity.IsAuthenticated)
+				{
+					// If claims principal is set and is authenticated then build a ticket by calling and return success.
+					authenticationSucceededContext.Success();
+					return authenticationSucceededContext.Result;
+				}
+
+				return AuthenticateResult.Fail("No authenticated prinicipal set.");
+			}
+            catch (Exception exception)
+            {
+				var authenticationFailedContext = new BasicAuthenticationFailedContext(Context, Scheme, Options, exception);
+				await Events.AuthenticationFailedAsync(authenticationFailedContext).ConfigureAwait(false);
+				
+				if (authenticationFailedContext.Result != null)
+				{
+					return authenticationFailedContext.Result;
+				}
+				
+				throw;
 			}
-			var username = usernameAndPasswordSplit[0];
-			var password = usernameAndPasswordSplit[1];
+		}
 
-			// Validate username and password by using the implementation of IBasicUserValidationService.
-			var isValidUser = await _basicUserValidationService.IsValidAsync(username, password);
-			if (!isValidUser)
+		/// <inheritdoc/>
+        protected override async Task HandleForbiddenAsync(AuthenticationProperties properties)
+        {
+			// Raise handle forbidden event.
+			var handleForbiddenContext = new BasicHandleForbiddenContext(Context, Scheme, Options, properties);
+			await Events.HandleForbiddenAsync(handleForbiddenContext).ConfigureAwait(false);
+			if (handleForbiddenContext.IsHandled)
 			{
-				return AuthenticateResult.Fail("Invalid username or password");
+				return;
 			}
 
-			// Create 'AuthenticationTicket' and return as success if the above validation was successful.
-			var claims = new[] { new Claim(ClaimTypes.Name, username) };
-			var identity = new ClaimsIdentity(claims, Scheme.Name);
-			var principal = new ClaimsPrincipal(identity);
-			var ticket = new AuthenticationTicket(principal, Scheme.Name);
-			return AuthenticateResult.Success(ticket);
-		}
+			await base.HandleForbiddenAsync(properties);
+        }
 
 		/// <summary>
 		/// Handles the un-authenticated requests. 
 		/// Returns 401 status code in response.
-		/// Adds 'WWW-Authenticate' with 'Basic' authentication scheme and 'Realm' in the response header 
+		/// If <see cref="BasicOptions.SuppressWWWAuthenticateHeader"/> is not set then,
+		/// adds 'WWW-Authenticate' response header with 'Basic' authentication scheme and 'Realm' 
 		/// to let the client know that 'Basic' authentication scheme is being used by the system.
 		/// </summary>
-		/// <param name="properties"></param>
-		/// <returns></returns>
+		/// <param name="properties"><see cref="AuthenticationProperties"/></param>
+		/// <returns>A Task.</returns>
 		protected override async Task HandleChallengeAsync(AuthenticationProperties properties)
 		{
-			Response.Headers[HeaderNames.WWWAuthenticate] = Challenge;
+			// Raise handle challenge event.
+			var handleChallengeContext = new BasicHandleChallengeContext(Context, Scheme, Options, properties);
+			await Events.HandleChallengeAsync(handleChallengeContext).ConfigureAwait(false);
+			if (handleChallengeContext.IsHandled)
+			{
+				return;
+			}
+
+			if (!Options.SuppressWWWAuthenticateHeader)
+			{
+				Response.Headers[HeaderNames.WWWAuthenticate] = Challenge;
+			}
 			await base.HandleChallengeAsync(properties);
 		}
+
+		private BasicCredentials DecodeBasicCredentials(string credentials)
+        {
+			string username;
+			string password;
+			try
+			{
+				// Convert the base64 encoded 'username:password' to normal string and parse username and password from colon(:) separated string.
+				var usernameAndPassword = Encoding.UTF8.GetString(Convert.FromBase64String(credentials));
+				var usernameAndPasswordSplit = usernameAndPassword.Split(':');
+				if (usernameAndPasswordSplit.Length != 2)
+				{
+					throw new Exception("Invalid Basic authentication header.");
+				}
+				username = usernameAndPasswordSplit[0];
+				password = usernameAndPasswordSplit[1];
+			}
+			catch (Exception)
+			{
+				throw new Exception($"Problem decoding '{BasicDefaults.AuthenticationScheme}' scheme credentials.");
+			}
+
+			if (string.IsNullOrWhiteSpace(username))
+			{
+				throw new Exception("Username cannot be empty.");
+			}
+			
+			if (password == null)
+			{
+				password = string.Empty;
+			}
+			
+			return new BasicCredentials(username, password);
+		}
+
+		private struct BasicCredentials
+        {
+            public BasicCredentials(string username, string password)
+            {
+                Username = username;
+                Password = password;
+            }
+
+            public string Username { get; }
+            public string Password { get; }
+        }
 	}
 }

src/AspNetCore.Authentication.Basic/BasicOptions.cs

@@ -2,23 +2,49 @@
 // Licensed under the MIT License. See License.txt in the project root for license information.
 
 using Microsoft.AspNetCore.Authentication;
+using System;
 
 namespace AspNetCore.Authentication.Basic
 {
-	/// <summary>
-	/// Inherited from <see cref="AuthenticationSchemeOptions"/> to allow extra option properties for 'Basic' authentication.
-	/// </summary>
-	public class BasicOptions : AuthenticationSchemeOptions
+    /// <summary>
+    /// Options used to configure basic authentication.
+    /// </summary>
+    public class BasicOptions : AuthenticationSchemeOptions
 	{
-		/// <summary>
-		/// This is required property. It is used when challenging un-authenticated requests.
-		/// </summary>
-		public string Realm { get; set; }
+        /// <summary>
+        /// Gets or sets the realm property. It is used with WWW-Authenticate response header when challenging un-authenticated requests.
+        /// <see href="https://tools.ietf.org/html/rfc7235#section-2.2"/>
+        /// </summary>
+        public string Realm { get; set; }
 
-		//public new BasicEvents Events
-		//{
-		//	get => (BasicEvents)base.Events;
-		//	set => base.Events = value;
-		//}
-	}
+        /// <summary>
+        /// Default value is false.
+        /// When set to true, it will NOT return WWW-Authenticate response header when challenging un-authenticated requests.
+        /// When set to false, it will return WWW-Authenticate response header when challenging un-authenticated requests.
+        /// It is normally used to disable browser prompt when doing ajax calls.
+        /// <see href="https://tools.ietf.org/html/rfc7235#section-4.1"/>
+        /// </summary>
+        public bool SuppressWWWAuthenticateHeader { get; set; }
+
+        /// <summary>
+        /// The object provided by the application to process events raised by the basic authentication middleware.
+        /// The application may implement the interface fully, or it may create an instance of BasicEvents
+        /// and assign delegates only to the events it wants to process.
+        /// </summary>
+        public new BasicEvents Events
+        {
+            get => (BasicEvents)base.Events;
+            set => base.Events = value;
+        }
+
+        /// <inheritdoc/>
+        public override void Validate()
+        {
+            base.Validate();
+            if (!SuppressWWWAuthenticateHeader && string.IsNullOrWhiteSpace(Realm))
+            {
+                throw new InvalidOperationException("Realm must be set in basic options");
+            }
+        }
+    }
 }

src/AspNetCore.Authentication.Basic/BasicPostConfigureOptions.cs

@@ -9,14 +9,26 @@ namespace AspNetCore.Authentication.Basic
 	/// <summary>
 	/// This post configure options checks whether the required option property <see cref="BasicOptions.Realm" /> is set or not on <see cref="BasicOptions"/>.
 	/// </summary>
-	class BasicPostConfigureOptions : IPostConfigureOptions<BasicOptions>
+	internal class BasicPostConfigureOptions : IPostConfigureOptions<BasicOptions>
 	{
+        private readonly IBasicUserValidationService _basicUserValidationService;
+
+        public BasicPostConfigureOptions(IBasicUserValidationService basicUserValidationService)
+        {
+            _basicUserValidationService = basicUserValidationService ?? throw new ArgumentNullException(nameof(basicUserValidationService));
+        }
+
 		public void PostConfigure(string name, BasicOptions options)
 		{
-			if (string.IsNullOrWhiteSpace(options.Realm))
+			if (!options.SuppressWWWAuthenticateHeader && string.IsNullOrWhiteSpace(options.Realm))
 			{
 				throw new InvalidOperationException("Realm must be set in basic options");
 			}
+
+			if (options.Events?.OnValidateCredentials == null && options.EventsType == null && _basicUserValidationService is DefaultBasicUserValidationService)
+            {
+				throw new InvalidOperationException($"Either {nameof(options.Events.OnValidateCredentials)} delegate on configure options {nameof(options.Events)} should be set or an implementaion of {nameof(IBasicUserValidationService)} should be registered in the dependency container.");
+			}
 		}
 	}
 }