[Milky] Support Bearer token authentication for WebSocket

NoirHare · NoirHare · commit 71cbc22e4bfa · 2026-05-15T16:48:16.000+08:00
diff --git a/Lagrange.Milky/Api/MilkyHttpApiService.cs b/Lagrange.Milky/Api/MilkyHttpApiService.cs
@@ -33,7 +33,7 @@ public Task StartAsync(CancellationToken token)
         _listener.Prefixes.Add($"http://{_host}:{_port}{_prefix}/");
         _listener.Start();
 
-        foreach (var prefix in _listener.Prefixes) _logger.LogServerRunning(prefix);
+        foreach (string prefix in _listener.Prefixes) _logger.LogServerRunning(prefix);
 
         _cts = CancellationTokenSource.CreateLinkedTokenSource(token);
         _task = GetHttpContextLoopAsync(_cts.Token);
@@ -65,8 +65,8 @@ private async Task HandleHttpContextAsync(HttpListenerContext context, Cancellat
         var request = context.Request;
         var identifier = request.RequestTraceIdentifier;
         var remote = request.RemoteEndPoint;
-        var method = request.HttpMethod;
-        var rawUrl = request.RawUrl;
+        string method = request.HttpMethod;
+        string? rawUrl = request.RawUrl;
 
         try
         {
@@ -77,10 +77,10 @@ private async Task HandleHttpContextAsync(HttpListenerContext context, Cancellat
             var handler = await GetApiHandlerAsync(context, token);
             if (handler == null) return;
 
-            var parameter = await GetParameterAsync(context, handler.ParameterType, token);
+            object? parameter = await GetParameterAsync(context, handler.ParameterType, token);
             if (parameter == null) return;
 
-            var result = await GetResultAsync(context, handler, parameter, token);
+            object? result = await GetResultAsync(context, handler, parameter, token);
             if (result == null) return;
 
             await SendWithLoggerAsync(context, result, token);
diff --git a/Lagrange.Milky/Event/MilkyWebSocketEventService.cs b/Lagrange.Milky/Event/MilkyWebSocketEventService.cs
@@ -22,33 +22,45 @@ public class MilkyWebSocketEventService(ILogger<MilkyWebSocketEventService> logg
 
     private readonly HttpListener _listener = new();
     private readonly ConcurrentDictionary<ConnectionContext, object?> _connections = [];
-    private CancellationTokenSource? _cts;
+
     private Task? _task;
+    private CancellationTokenSource? _cts;
 
-    public Task StartAsync(CancellationToken token)
+    public Task StartAsync(CancellationToken ct)
     {
         _listener.Prefixes.Add($"http://{_host}:{_port}{_path}/");
         _listener.Start();
 
-        foreach (var prefix in _listener.Prefixes) _logger.LogServerRunning(prefix);
+        foreach (string prefix in _listener.Prefixes) _logger.LogServerRunning(prefix);
 
-        _cts = CancellationTokenSource.CreateLinkedTokenSource(token);
+        _cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
         _task = GetHttpContextLoopAsync(_cts.Token);
 
         _event.Register(HandleEventAsync);
 
         return Task.CompletedTask;
     }
 
-    private async Task GetHttpContextLoopAsync(CancellationToken token)
+    public async Task StopAsync(CancellationToken ct)
+    {
+        _event.Unregister(HandleEventAsync);
+
+        _cts?.Cancel();
+        if (_task != null) await _task.WaitAsync(ct).ConfigureAwait(ConfigureAwaitOptions.SuppressThrowing);
+        await Task.WhenAll(_connections.Keys.Select(connection => connection.Tcs.Task));
+
+        _listener.Stop();
+    }
+
+    private async Task? GetHttpContextLoopAsync(CancellationToken ct)
     {
         try
         {
             while (true)
             {
-                _ = HandleHttpContextAsync(await _listener.GetContextAsync().WaitAsync(token), token);
+                _ = HandleHttpContextAsync(await _listener.GetContextAsync().WaitAsync(ct), ct);
 
-                token.ThrowIfCancellationRequested();
+                ct.ThrowIfCancellationRequested();
             }
         }
         catch (OperationCanceledException) { throw; }
@@ -59,9 +71,9 @@ private async Task GetHttpContextLoopAsync(CancellationToken token)
         }
     }
 
-    private async Task HandleHttpContextAsync(HttpListenerContext httpContext, CancellationToken token)
+    private async Task HandleHttpContextAsync(HttpListenerContext context, CancellationToken ct)
     {
-        var request = httpContext.Request;
+        var request = context.Request;
         var identifier = request.RequestTraceIdentifier;
         var remote = request.RemoteEndPoint;
         string method = request.HttpMethod;
@@ -71,26 +83,26 @@ private async Task HandleHttpContextAsync(HttpListenerContext httpContext, Cance
         {
             _logger.LogHttpContext(identifier, remote, method, rawUrl);
 
-            if (!await ValidateHttpContextAsync(httpContext, token)) return;
+            if (!await ValidateHttpContextAsync(context, ct)) return;
 
-            var connection = await GetConnectionContextAsync(httpContext, token);
+            var connection = await GetConnectionContextAsync(context, ct);
             if (connection == null) return;
 
             _ = WaitConnectionCloseLoopAsync(connection, connection.Cts.Token);
         }
         catch (OperationCanceledException)
         {
-            await SendWithLoggerAsync(httpContext, HttpStatusCode.InternalServerError, token);
+            await SendWithLoggerAsync(context, HttpStatusCode.InternalServerError, ct);
             throw;
         }
         catch (Exception e)
         {
             _logger.LogHandleHttpContextException(identifier, remote, e);
-            await SendWithLoggerAsync(httpContext, HttpStatusCode.InternalServerError, token);
+            await SendWithLoggerAsync(context, HttpStatusCode.InternalServerError, ct);
         }
     }
 
-    private async Task WaitConnectionCloseLoopAsync(ConnectionContext connection, CancellationToken token)
+    private async Task WaitConnectionCloseLoopAsync(ConnectionContext connection, CancellationToken ct)
     {
         var identifier = connection.HttpContext.Request.RequestTraceIdentifier;
         var remote = connection.HttpContext.Request.RemoteEndPoint;
@@ -100,20 +112,20 @@ private async Task WaitConnectionCloseLoopAsync(ConnectionContext connection, Ca
             byte[] buffer = new byte[1024];
             while (true)
             {
-                ValueTask<ValueWebSocketReceiveResult> resultTask = connection.WsContext.WebSocket
+                var resultTask = connection.WsContext.WebSocket
                         .ReceiveAsync(buffer.AsMemory(), default);
 
-                ValueWebSocketReceiveResult result = !resultTask.IsCompleted ?
-                    await resultTask.AsTask().WaitAsync(token) :
+                var result = !resultTask.IsCompleted ?
+                    await resultTask.AsTask().WaitAsync(ct) :
                     resultTask.Result;
 
                 if (result.MessageType == WebSocketMessageType.Close)
                 {
-                    await CloseConnectionAsync(connection, WebSocketCloseStatus.NormalClosure, token);
+                    await CloseConnectionAsync(connection, WebSocketCloseStatus.NormalClosure, ct);
                     return;
                 }
 
-                token.ThrowIfCancellationRequested();
+                ct.ThrowIfCancellationRequested();
             }
         }
         catch (OperationCanceledException)
@@ -124,11 +136,11 @@ await resultTask.AsTask().WaitAsync(token) :
         {
             _logger.LogWaitWebSocketCloseException(identifier, remote, e);
 
-            await CloseConnectionAsync(connection, WebSocketCloseStatus.InternalServerError, token);
+            await CloseConnectionAsync(connection, WebSocketCloseStatus.InternalServerError, ct);
         }
     }
 
-    private async Task CloseConnectionAsync(ConnectionContext connection, WebSocketCloseStatus status, CancellationToken token)
+    private async Task CloseConnectionAsync(ConnectionContext connection, WebSocketCloseStatus status, CancellationToken ct)
     {
         var identifier = connection.HttpContext.Request.RequestTraceIdentifier;
         var remote = connection.HttpContext.Request.RemoteEndPoint;
@@ -137,7 +149,7 @@ private async Task CloseConnectionAsync(ConnectionContext connection, WebSocketC
         {
             _connections.Remove(connection, out _);
 
-            await connection.WsContext.WebSocket.CloseAsync(status, null, token);
+            await connection.WsContext.WebSocket.CloseAsync(status, null, ct);
             connection.HttpContext.Response.Close();
 
             _logger.LogWebSocketClosed(identifier, remote);
@@ -152,117 +164,79 @@ private async Task CloseConnectionAsync(ConnectionContext connection, WebSocketC
         }
     }
 
-    private async void HandleEventAsync(Memory<byte> payload)
+    private async Task<bool> ValidateHttpContextAsync(HttpListenerContext context, CancellationToken ct)
     {
-        if (_connections.IsEmpty) return;
-
-        _logger.LogSend(payload.Span);
-        foreach (var connection in _connections.Keys)
-        {
-            var identifier = connection.HttpContext.Request.RequestTraceIdentifier;
-            var remote = connection.HttpContext.Request.RemoteEndPoint;
-            var ws = connection.WsContext.WebSocket;
-
-            try
-            {
-                await connection.SendSemaphoreSlim.WaitAsync(connection.Cts.Token);
-                try
-                {
-                    await ws.SendAsync(payload, WebSocketMessageType.Text, true, connection.Cts.Token);
-                }
-                finally
-                {
-                    connection.SendSemaphoreSlim.Release();
-                }
-            }
-            catch (Exception e)
-            {
-                _logger.LogSendException(identifier, remote, e);
-
-                await CloseConnectionAsync(connection, WebSocketCloseStatus.InternalServerError, connection.Cts.Token);
-            }
-        }
-    }
-
-    public async Task StopAsync(CancellationToken token)
-    {
-        _event.Unregister(HandleEventAsync);
-
-        _cts?.Cancel();
-        if (_task != null) await _task.WaitAsync(token).ConfigureAwait(ConfigureAwaitOptions.SuppressThrowing);
-        await Task.WhenAll(_connections.Keys.Select(connection => connection.Tcs.Task));
-
-        _listener.Stop();
-    }
 
-    private async Task<bool> ValidateHttpContextAsync(HttpListenerContext httpContext, CancellationToken token)
-    {
-        var request = httpContext.Request;
+        var request = context.Request;
         var identifier = request.RequestTraceIdentifier;
         var remote = request.RemoteEndPoint;
 
         if (request.Url?.LocalPath != _path)
         {
-            await SendWithLoggerAsync(httpContext, HttpStatusCode.NotFound, token);
+            await SendWithLoggerAsync(context, HttpStatusCode.NotFound, ct);
         }
 
-        if (!httpContext.Request.HttpMethod.Equals("GET", StringComparison.OrdinalIgnoreCase))
+        if (!context.Request.HttpMethod.Equals("GET", StringComparison.OrdinalIgnoreCase))
         {
-            await SendWithLoggerAsync(httpContext, HttpStatusCode.MethodNotAllowed, token);
+            await SendWithLoggerAsync(context, HttpStatusCode.MethodNotAllowed, ct);
             return false;
         }
 
-        if (!ValidateApiAccessToken(httpContext))
+        if (!request.IsWebSocketRequest)
         {
-            _logger.LogValidateAccessTokenFailed(identifier, remote);
-            await SendWithLoggerAsync(httpContext, HttpStatusCode.Unauthorized, token);
+            await SendWithLoggerAsync(context, HttpStatusCode.BadRequest, ct);
             return false;
         }
 
-        if (!request.IsWebSocketRequest)
+        if (!ValidateAccessToken(context))
         {
-            await SendWithLoggerAsync(httpContext, HttpStatusCode.BadRequest, token);
+            _logger.LogValidateAccessTokenFailed(identifier, remote);
+            await SendWithLoggerAsync(context, HttpStatusCode.Unauthorized, ct);
             return false;
         }
 
         return true;
     }
 
-    private bool ValidateApiAccessToken(HttpListenerContext httpContext)
+    private bool ValidateAccessToken(HttpListenerContext context)
     {
-        if (_token == null) return true;
+        if (string.IsNullOrEmpty(_token)) return true;
 
-        string? authorization = httpContext.Request.QueryString["access_token"];
-        if (authorization == null) return false;
+        string? authorization = context.Request.Headers["Authorization"];
+        if (authorization != null)
+        {
+            if (!authorization.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase)) return false;
+            return authorization.AsSpan(7..).Equals(_token);
+        }
+
+        string? accessToken = context.Request.QueryString["access_token"];
+        if (accessToken != null)
+        {
+            return accessToken.Equals(_token);
+        }
 
-        return authorization == _token;
+        return false;
     }
 
-    private async Task<ConnectionContext?> GetConnectionContextAsync(HttpListenerContext httpContext, CancellationToken token)
+    private async Task<ConnectionContext?> GetConnectionContextAsync(HttpListenerContext context, CancellationToken ct)
     {
-        var request = httpContext.Request;
-        var identifier = request.RequestTraceIdentifier;
-        var remote = request.RemoteEndPoint;
-
         try
         {
-            var wsContext = await httpContext.AcceptWebSocketAsync(null).WaitAsync(token);
-            var cts = CancellationTokenSource.CreateLinkedTokenSource(token);
-            var connection = new ConnectionContext(httpContext, wsContext, cts);
+            var wsContext = await context.AcceptWebSocketAsync(null).WaitAsync(ct);
+            var cts = CancellationTokenSource.CreateLinkedTokenSource(ct);
+            var connection = new ConnectionContext(context, wsContext, cts);
             _connections.TryAdd(connection, null);
             return connection;
         }
         catch (OperationCanceledException) { throw; }
-        catch (Exception e)
+        catch (Exception)
         {
-            _logger.LogUpgradeWebSocketException(identifier, remote, e);
-            await SendWithLoggerAsync(httpContext, HttpStatusCode.InternalServerError, token);
+            await SendWithLoggerAsync(context, HttpStatusCode.InternalServerError, ct);
+            throw;
         }
-
-        return null;
     }
 
-    private async Task SendWithLoggerAsync(HttpListenerContext context, HttpStatusCode status, CancellationToken token)
+    private async Task SendWithLoggerAsync(HttpListenerContext context, HttpStatusCode status, CancellationToken ct)
     {
         var request = context.Request;
         var identifier = request.RequestTraceIdentifier;
@@ -276,7 +250,7 @@ private async Task SendWithLoggerAsync(HttpListenerContext context, HttpStatusCo
             int code = (int)status;
 
             response.StatusCode = code;
-            await output.WriteAsync(Encoding.UTF8.GetBytes($"{code} {status}"), token);
+            await output.WriteAsync(Encoding.UTF8.GetBytes($"{code} {status}"), ct);
             response.Close();
 
             _logger.LogSend(identifier, remote, status);
@@ -287,6 +261,38 @@ private async Task SendWithLoggerAsync(HttpListenerContext context, HttpStatusCo
         }
     }
 
+    private async void HandleEventAsync(Memory<byte> payload)
+    {
+        if (_connections.IsEmpty) return;
+
+        _logger.LogSend(payload.Span);
+        foreach (var connection in _connections.Keys)
+        {
+            var identifier = connection.HttpContext.Request.RequestTraceIdentifier;
+            var remote = connection.HttpContext.Request.RemoteEndPoint;
+            var ws = connection.WsContext.WebSocket;
+
+            try
+            {
+                await connection.SendSemaphoreSlim.WaitAsync(connection.Cts.Token);
+                try
+                {
+                    await ws.SendAsync(payload, WebSocketMessageType.Text, true, connection.Cts.Token);
+                }
+                finally
+                {
+                    connection.SendSemaphoreSlim.Release();
+                }
+            }
+            catch (Exception e)
+            {
+                _logger.LogSendException(identifier, remote, e);
+
+                await CloseConnectionAsync(connection, WebSocketCloseStatus.InternalServerError, connection.Cts.Token);
+            }
+        }
+    }
+
     private class ConnectionContext(HttpListenerContext httpContext, WebSocketContext wsContext, CancellationTokenSource cts)
     {
         public HttpListenerContext HttpContext { get; } = httpContext;
@@ -333,9 +339,6 @@ public static void LogSend(this ILogger<MilkyWebSocketEventService> logger, Span
     [LoggerMessage(LogLevel.Error, "{identifier} {remote} <!!> Handle http context failed")]
     public static partial void LogHandleHttpContextException(this ILogger<MilkyWebSocketEventService> logger, Guid identifier, IPEndPoint remote, Exception e);
 
-    [LoggerMessage(LogLevel.Error, "{identifier} {remote} <!!> Upgrade websocket failed")]
-    public static partial void LogUpgradeWebSocketException(this ILogger<MilkyWebSocketEventService> logger, Guid identifier, IPEndPoint remote, Exception e);
-
     [LoggerMessage(LogLevel.Error, "{identifier} {remote} <!!> Validate access token failed")]
     public static partial void LogValidateAccessTokenFailed(this ILogger<MilkyWebSocketEventService> logger, Guid identifier, IPEndPoint remote);
 
