From fa3b22e7beb1050416a1d34e0145573e46b094ef Mon Sep 17 00:00:00 2001
From: hhvrc <github@heavenvr.tech>
Date: Fri, 8 Nov 2024 11:36:51 +0100
Subject: [PATCH] Clean up header and cookie handling + change logout endpoint

---
 .../Account/Authenticated/Logout.cs           |  55 ---------
 API/Controller/Account/Login.cs               |  10 +-
 API/Controller/Account/LoginV2.cs             |  12 +-
 API/Controller/Account/Logout.cs              |  43 +++++++
 API/Controller/Sessions/DeleteSessions.cs     |   2 +-
 API/Controller/Sessions/ListSessions.cs       |   2 +-
 API/Services/Session/ISessionService.cs       |  14 +--
 API/Services/Session/SessionService.cs        |  33 +++---
 API/Startup.cs                                |   7 +-
 .../Handlers/DeviceAuthentication.cs          |  14 +--
 .../Handlers/LoginSessionAuthentication.cs    |  23 ++--
 Common/Authentication/OpenShockAuthSchemas.cs |   7 +-
 Common/Constants/AuthConstants.cs             |   9 ++
 Common/Errors/AuthResultError.cs              |   2 +-
 Common/Hubs/ShareLinkHub.cs                   |  13 +-
 Common/Utils/AuthUtils.cs                     | 112 ++++++++++++++++++
 Cron/DashboardAdminAuth.cs                    |  12 +-
 LiveControlGateway/Startup.cs                 |   7 +-
 18 files changed, 231 insertions(+), 146 deletions(-)
 delete mode 100644 API/Controller/Account/Authenticated/Logout.cs
 create mode 100644 API/Controller/Account/Logout.cs
 create mode 100644 Common/Constants/AuthConstants.cs
 create mode 100644 Common/Utils/AuthUtils.cs

diff --git a/API/Controller/Account/Authenticated/Logout.cs b/API/Controller/Account/Authenticated/Logout.cs
deleted file mode 100644
index a330362b..00000000
--- a/API/Controller/Account/Authenticated/Logout.cs
+++ /dev/null
@@ -1,55 +0,0 @@
-using Microsoft.AspNetCore.Mvc;
-using OpenShock.Common.Authentication.Attributes;
-using OpenShock.Common.Authentication.Services;
-using OpenShock.Common.Problems;
-
-namespace OpenShock.API.Controller.Account.Authenticated;
-
-public sealed partial class AuthenticatedAccountController
-{
-    [HttpDelete("logout")]
-    [UserSessionOnly]
-    [ProducesSlimSuccess]
-    public async Task<IActionResult> Logout(
-        [FromServices] IUserReferenceService userReferenceService,
-        [FromServices] ApiConfig apiConfig)
-    {
-        var x = userReferenceService.AuthReference;
-        
-        if (x == null) throw new Exception("This should not be reachable due to AuthenticatedSession requirement");
-        if (!x.Value.IsT0) throw new Exception("This should not be reachable due to the [UserSessionOnly] attribute");
-        
-        var session = x.Value.AsT0;
-        
-        await _sessionService.DeleteSession(session);
-        
-        var cookieDomainToUse = apiConfig.Frontend.CookieDomain.Split(',').FirstOrDefault(domain => Request.Headers.Host.ToString().EndsWith(domain, StringComparison.OrdinalIgnoreCase));
-        if (cookieDomainToUse != null)
-        {
-            HttpContext.Response.Cookies.Append("openShockSession", string.Empty, new CookieOptions
-            {
-                Expires = DateTimeOffset.FromUnixTimeSeconds(0),
-                Secure = true,
-                HttpOnly = true,
-                SameSite = SameSiteMode.Strict,
-                Domain = "." + cookieDomainToUse
-            });
-        }
-        else // Fallback to all domains
-        {
-            foreach (var stringValue in apiConfig.Frontend.CookieDomain.Split(','))
-            {
-                HttpContext.Response.Cookies.Append("openShockSession", string.Empty, new CookieOptions
-                {
-                    Expires = DateTimeOffset.FromUnixTimeSeconds(0),
-                    Secure = true,
-                    HttpOnly = true,
-                    SameSite = SameSiteMode.Strict,
-                    Domain = "." + stringValue
-                });
-            }
-        }
-
-        return RespondSlimSuccess();
-    }
-}
\ No newline at end of file
diff --git a/API/Controller/Account/Login.cs b/API/Controller/Account/Login.cs
index 97833227..01f48fa2 100644
--- a/API/Controller/Account/Login.cs
+++ b/API/Controller/Account/Login.cs
@@ -38,16 +38,8 @@ public async Task<IActionResult> Login(
         }, cancellationToken);
 
         if (loginAction.IsT1) return Problem(LoginError.InvalidCredentials);
-        
 
-        HttpContext.Response.Cookies.Append("openShockSession", loginAction.AsT0.Value, new CookieOptions
-        {
-            Expires = new DateTimeOffset(DateTime.UtcNow.Add(Duration.LoginSessionLifetime)),
-            Secure = true,
-            HttpOnly = true,
-            SameSite = SameSiteMode.Strict,
-            Domain = "." + cookieDomainToUse
-        });
+        HttpContext.SetSessionKeyCookie(loginAction.AsT0.Value, "." + cookieDomainToUse);
 
         return RespondSuccessSimple("Successfully logged in");
     }
diff --git a/API/Controller/Account/LoginV2.cs b/API/Controller/Account/LoginV2.cs
index d0283602..1b083c38 100644
--- a/API/Controller/Account/LoginV2.cs
+++ b/API/Controller/Account/LoginV2.cs
@@ -45,16 +45,8 @@ public async Task<IActionResult> LoginV2(
         }, cancellationToken);
 
         if (loginAction.IsT1) return Problem(LoginError.InvalidCredentials);
-        
-        
-        HttpContext.Response.Cookies.Append("openShockSession", loginAction.AsT0.Value, new CookieOptions
-        {
-            Expires = new DateTimeOffset(DateTime.UtcNow.Add(Duration.LoginSessionLifetime)),
-            Secure = true,
-            HttpOnly = true,
-            SameSite = SameSiteMode.Strict,
-            Domain = "." + cookieDomainToUse
-        });
+
+        HttpContext.SetSessionKeyCookie(loginAction.AsT0.Value, "." + cookieDomainToUse);
 
         return RespondSuccessSimple("Successfully logged in");
     }
diff --git a/API/Controller/Account/Logout.cs b/API/Controller/Account/Logout.cs
new file mode 100644
index 00000000..d5d49d69
--- /dev/null
+++ b/API/Controller/Account/Logout.cs
@@ -0,0 +1,43 @@
+using Asp.Versioning;
+using Microsoft.AspNetCore.Mvc;
+using OpenShock.API.Services.Session;
+using OpenShock.Common.Authentication.Attributes;
+using OpenShock.Common.Authentication.Services;
+using OpenShock.Common.Problems;
+using OpenShock.Common.Utils;
+
+namespace OpenShock.API.Controller.Account;
+
+public sealed partial class AccountController
+{
+    [HttpPost("logout")]
+    [ProducesSlimSuccess]
+    [MapToApiVersion("1")]
+    public async Task<IActionResult> Logout(
+        [FromServices] ISessionService sessionService,
+        [FromServices] ApiConfig apiConfig)
+    {
+        // Remove session if valid
+        if (HttpContext.TryGetSessionKey(out var sessionKey))
+        {
+            await sessionService.DeleteSessionById(sessionKey);
+        }
+        
+        // Make sure cookie is removed, no matter if authenticated or not
+        var cookieDomainToUse = apiConfig.Frontend.CookieDomain.Split(',').FirstOrDefault(domain => Request.Headers.Host.ToString().EndsWith(domain, StringComparison.OrdinalIgnoreCase));
+        if (cookieDomainToUse != null)
+        {
+            HttpContext.RemoveSessionKeyCookie("." + cookieDomainToUse);
+        }
+        else // Fallback to all domains
+        {
+            foreach (var domain in apiConfig.Frontend.CookieDomain.Split(','))
+            {
+                HttpContext.RemoveSessionKeyCookie("." + domain);
+            }
+        }
+
+        // its always a success, logout endpoints should be idempotent
+        return RespondSlimSuccess();
+    }
+}
\ No newline at end of file
diff --git a/API/Controller/Sessions/DeleteSessions.cs b/API/Controller/Sessions/DeleteSessions.cs
index 9fff4ea1..a84260a3 100644
--- a/API/Controller/Sessions/DeleteSessions.cs
+++ b/API/Controller/Sessions/DeleteSessions.cs
@@ -13,7 +13,7 @@ public sealed partial class SessionsController
     [ProducesProblem(HttpStatusCode.NotFound, "SessionNotFound")]
     public async Task<IActionResult> DeleteSession(Guid sessionId)
     {
-        var loginSession = await _sessionService.GetSession(sessionId);
+        var loginSession = await _sessionService.GetSessionByPulbicId(sessionId);
 
         // If the session was not found, or the user does not have the privledges to access it, return NotFound
         if (loginSession == null || !CurrentUser.IsUserOrRank(loginSession.UserId, RankType.Admin))
diff --git a/API/Controller/Sessions/ListSessions.cs b/API/Controller/Sessions/ListSessions.cs
index 85887e66..9a78667e 100644
--- a/API/Controller/Sessions/ListSessions.cs
+++ b/API/Controller/Sessions/ListSessions.cs
@@ -10,7 +10,7 @@ public sealed partial class SessionsController
     [ProducesSlimSuccess<IEnumerable<LoginSessionResponse>>]
     public async Task<IEnumerable<LoginSessionResponse>> ListSessions()
     {
-        var sessions = await _sessionService.ListSessions(CurrentUser.DbUser.Id);
+        var sessions = await _sessionService.ListSessionsByUserId(CurrentUser.DbUser.Id);
 
         return sessions.Select(LoginSessionResponse.MapFrom);
     }
diff --git a/API/Services/Session/ISessionService.cs b/API/Services/Session/ISessionService.cs
index f287a6c7..63f88448 100644
--- a/API/Services/Session/ISessionService.cs
+++ b/API/Services/Session/ISessionService.cs
@@ -1,16 +1,16 @@
-using OneOf;
-using OneOf.Types;
-using OpenShock.API.Models.Response;
-using OpenShock.Common.Redis;
+using OpenShock.Common.Redis;
 
 namespace OpenShock.API.Services.Session;
 
 public interface ISessionService
 {
-    public Task<IEnumerable<LoginSession>> ListSessions(Guid userId);
+    public Task<IEnumerable<LoginSession>> ListSessionsByUserId(Guid userId);
 
-    public Task<LoginSession?> GetSession(Guid sessionId);
+    public Task<LoginSession?> GetSessionByPulbicId(Guid publicSessionId);
+
+    public Task<bool> DeleteSessionById(string sessionId);
+
+    public Task<bool> DeleteSessionByPublicId(Guid publicSessionId);
 
-    public Task<bool> DeleteSession(Guid sessionId);
     public Task DeleteSession(LoginSession loginSession);
 }
\ No newline at end of file
diff --git a/API/Services/Session/SessionService.cs b/API/Services/Session/SessionService.cs
index bb06b7bf..085fb5ed 100644
--- a/API/Services/Session/SessionService.cs
+++ b/API/Services/Session/SessionService.cs
@@ -1,9 +1,5 @@
-using OneOf;
-using OneOf.Types;
-using OpenShock.API.Models.Response;
-using OpenShock.Common;
+using Microsoft.EntityFrameworkCore;
 using OpenShock.Common.Authentication.Handlers;
-using OpenShock.Common.OpenShockDb;
 using OpenShock.Common.Redis;
 using Redis.OM;
 using Redis.OM.Contracts;
@@ -27,33 +23,36 @@ public SessionService(IRedisConnectionProvider redisConnectionProvider)
         _loginSessions = redisConnectionProvider.RedisCollection<LoginSession>();
     }
 
-    public async Task<IEnumerable<LoginSession>> ListSessions(Guid userId)
+    public async Task<IEnumerable<LoginSession>> ListSessionsByUserId(Guid userId)
     {
         var sessions = await _loginSessions.Where(x => x.UserId == userId).ToListAsync();
 
         var needsSave = false;
         foreach (var session in sessions)
         {
-            if(LoginSessionAuthentication.UpdateOlderLoginSessions(session)) needsSave = true;
+            if (LoginSessionAuthentication.UpdateOlderLoginSessions(session)) needsSave = true;
         }
-        if(needsSave) await _loginSessions.SaveAsync();
-        
+        if (needsSave) await _loginSessions.SaveAsync();
+
         return sessions;
     }
 
-    public async Task<LoginSession?> GetSession(Guid sessionId)
+    public async Task<LoginSession?> GetSessionByPulbicId(Guid publicSessionId)
     {
-        return await _loginSessions.Where(x => x.PublicId == sessionId)
+        return await _loginSessions.Where(x => x.PublicId == publicSessionId)
             .FirstOrDefaultAsync();
     }
 
-    public async Task<bool> DeleteSession(Guid sessionId)
+    public async Task<bool> DeleteSessionById(string sessionId)
+    {
+        int affected = await _loginSessions.Where(x => x.Id == sessionId).ExecuteDeleteAsync();
+        return affected > 0;
+    }
+
+    public async Task<bool> DeleteSessionByPublicId(Guid publicSessionId)
     {
-        var session = await GetSession(sessionId);
-        if (session == null) return false;
-        
-        await _loginSessions.DeleteAsync(session);
-        return true;
+        int affected = await _loginSessions.Where(x => x.PublicId == publicSessionId).ExecuteDeleteAsync();
+        return affected > 0;
     }
 
     public async Task DeleteSession(LoginSession loginSession)
diff --git a/API/Startup.cs b/API/Startup.cs
index cdbd10f0..a28af1a3 100644
--- a/API/Startup.cs
+++ b/API/Startup.cs
@@ -22,6 +22,7 @@
 using OpenShock.Common.Authentication;
 using OpenShock.Common.Authentication.Handlers;
 using OpenShock.Common.Authentication.Services;
+using OpenShock.Common.Constants;
 using OpenShock.Common.DataAnnotations;
 using OpenShock.Common.ExceptionHandle;
 using OpenShock.Common.Hubs;
@@ -245,9 +246,9 @@ public void ConfigureServices(IServiceCollection services)
                 options.ParameterFilter<AttributeFilter>();
                 options.OperationFilter<AttributeFilter>();
                 options.IncludeXmlComments(Path.Combine(AppContext.BaseDirectory, "OpenShock.API.xml"), true);
-                options.AddSecurityDefinition("OpenShockToken", new OpenApiSecurityScheme
+                options.AddSecurityDefinition(AuthConstants.AuthTokenHeaderName, new OpenApiSecurityScheme
                 {
-                    Name = "OpenShockToken",
+                    Name = AuthConstants.AuthTokenHeaderName,
                     Type = SecuritySchemeType.ApiKey,
                     Scheme = "ApiKeyAuth",
                     In = ParameterLocation.Header,
@@ -261,7 +262,7 @@ public void ConfigureServices(IServiceCollection services)
                             Reference = new OpenApiReference
                             {
                                 Type = ReferenceType.SecurityScheme,
-                                Id = "OpenShockToken"
+                                Id = AuthConstants.AuthTokenHeaderName
                             }
                         },
                         Array.Empty<string>()
diff --git a/Common/Authentication/Handlers/DeviceAuthentication.cs b/Common/Authentication/Handlers/DeviceAuthentication.cs
index 12e8ec80..dc5b1609 100644
--- a/Common/Authentication/Handlers/DeviceAuthentication.cs
+++ b/Common/Authentication/Handlers/DeviceAuthentication.cs
@@ -9,6 +9,7 @@
 using OpenShock.Common.Errors;
 using OpenShock.Common.OpenShockDb;
 using OpenShock.Common.Problems;
+using OpenShock.Common.Utils;
 
 namespace OpenShock.Common.Authentication.Handlers;
 
@@ -40,19 +41,10 @@ public DeviceAuthentication(
 
     protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
     {
-        string sessionKey;
-
-        if (Context.Request.Headers.TryGetValue("DeviceToken", out var sessionKeyHeader) &&
-            !string.IsNullOrEmpty(sessionKeyHeader))
-        {
-            sessionKey = sessionKeyHeader!;
-        }
-        else if (Context.Request.Headers.TryGetValue("Device-Token", out var sessionKeyHeader2) &&
-                            !string.IsNullOrEmpty(sessionKeyHeader2))
+        if (!Context.TryGetDeviceTokenFromHeader(out string? sessionKey))
         {
-            sessionKey = sessionKeyHeader2!;
+            return Fail(AuthResultError.CookieOrHeaderMissingOrInvalid);
         }
-        else return Fail(AuthResultError.HeaderMissingOrInvalid);
 
         var device = await _db.Devices.Where(x => x.Token == sessionKey).FirstOrDefaultAsync();
         if (device == null) return Fail(AuthResultError.TokenInvalid);
diff --git a/Common/Authentication/Handlers/LoginSessionAuthentication.cs b/Common/Authentication/Handlers/LoginSessionAuthentication.cs
index 4a179b53..e30fba24 100644
--- a/Common/Authentication/Handlers/LoginSessionAuthentication.cs
+++ b/Common/Authentication/Handlers/LoginSessionAuthentication.cs
@@ -50,20 +50,17 @@ public LoginSessionAuthentication(
 
     protected override Task<AuthenticateResult> HandleAuthenticateAsync()
     {
-        if ((Context.Request.Headers.TryGetValue("OpenShockToken", out var tokenHeaderO) || Context.Request.Headers.TryGetValue("Open-Shock-Token", out tokenHeaderO)) &&
-            !string.IsNullOrEmpty(tokenHeaderO)) return TokenAuth(tokenHeaderO!);
-        
-        if (Context.Request.Headers.TryGetValue("OpenShockSession", out var sessionKeyHeader) &&
-            !string.IsNullOrEmpty(sessionKeyHeader)) return SessionAuth(sessionKeyHeader!);
-        
-        if (Context.Request.Cookies.TryGetValue("openShockSession", out var accessKeyCookie) &&
-            !string.IsNullOrEmpty(accessKeyCookie)) return SessionAuth(accessKeyCookie);
-        
-        // Legacy to not break current applications
-        if (Context.Request.Headers.TryGetValue("ShockLinkToken", out var tokenHeader) &&
-            !string.IsNullOrEmpty(tokenHeader)) return TokenAuth(tokenHeader!);
+        if (Context.TryGetSessionKey(out var sessionKey))
+        {
+            return SessionAuth(sessionKey);
+        }
+
+        if (Context.TryGetAuthTokenFromHeader(out var token))
+        {
+            return TokenAuth(token);
+        }
 
-        return Task.FromResult(Fail(AuthResultError.HeaderMissingOrInvalid));
+        return Task.FromResult(Fail(AuthResultError.CookieOrHeaderMissingOrInvalid));
     }
 
     private async Task<AuthenticateResult> TokenAuth(string token)
diff --git a/Common/Authentication/OpenShockAuthSchemas.cs b/Common/Authentication/OpenShockAuthSchemas.cs
index 5a32e1f0..8328f9c6 100644
--- a/Common/Authentication/OpenShockAuthSchemas.cs
+++ b/Common/Authentication/OpenShockAuthSchemas.cs
@@ -1,7 +1,12 @@
-namespace OpenShock.Common.Authentication;
+using OpenShock.Common.Constants;
+
+namespace OpenShock.Common.Authentication;
 
 public static class OpenShockAuthSchemas
 {
+    // TODO: What is this for?
     public const string SessionTokenCombo = "session-token-combo";
+
+    /// TODO: Replace this with <see cref="AuthConstants.DeviceAuthTokenHeaderName"/>?
     public const string DeviceToken = "device-token";
 }
\ No newline at end of file
diff --git a/Common/Constants/AuthConstants.cs b/Common/Constants/AuthConstants.cs
new file mode 100644
index 00000000..0215b079
--- /dev/null
+++ b/Common/Constants/AuthConstants.cs
@@ -0,0 +1,9 @@
+namespace OpenShock.Common.Constants;
+
+public static class AuthConstants
+{
+    public const string SessionCookieName = "openShockSession";
+    public const string SessionHeaderName = "OpenShockSession";
+    public const string AuthTokenHeaderName = "OpenShockToken";
+    public const string DeviceAuthTokenHeaderName = "DeviceToken";
+}
diff --git a/Common/Errors/AuthResultError.cs b/Common/Errors/AuthResultError.cs
index 4467d30e..1be2dfa5 100644
--- a/Common/Errors/AuthResultError.cs
+++ b/Common/Errors/AuthResultError.cs
@@ -6,7 +6,7 @@ namespace OpenShock.Common.Errors;
 public static class AuthResultError
 {
     public static OpenShockProblem UnknownError => new("Authentication.UnknownError", "An unknown error occurred.", HttpStatusCode.InternalServerError);
-    public static OpenShockProblem HeaderMissingOrInvalid => new("Authentication.HeaderMissingOrInvalid", "Missing a required header or it is invalid.", HttpStatusCode.Unauthorized);
+    public static OpenShockProblem CookieOrHeaderMissingOrInvalid => new("Authentication.HeaderMissingOrInvalid", "Missing a required authentication cookie or header or it is invalid.", HttpStatusCode.Unauthorized);
     
     public static OpenShockProblem SessionInvalid => new("Authentication.SessionInvalid", "The session is invalid", HttpStatusCode.Unauthorized);
     public static OpenShockProblem TokenInvalid => new("Authentication.TokenInvalid", "The token is invalid", HttpStatusCode.Unauthorized);
diff --git a/Common/Hubs/ShareLinkHub.cs b/Common/Hubs/ShareLinkHub.cs
index 839db2bb..577c646a 100644
--- a/Common/Hubs/ShareLinkHub.cs
+++ b/Common/Hubs/ShareLinkHub.cs
@@ -54,17 +54,10 @@ public override async Task OnConnectedAsync()
         }
 
         GenericIni? user = null;
-        
-        if (httpContext.Request.Cookies.TryGetValue("openShockSession", out var accessKeyCookie) &&
-            !string.IsNullOrEmpty(accessKeyCookie))
-        {
-            user = await SessionAuth(accessKeyCookie);
-        }
-        
-        if (httpContext.Request.Headers.TryGetValue("OpenShockSession", out var sessionKeyHeader) &&
-            !string.IsNullOrEmpty(sessionKeyHeader))
+
+        if (httpContext.TryGetSessionKey(out var sessionKey))
         {
-            user = await SessionAuth(sessionKeyHeader!);
+            user = await SessionAuth(sessionKey);
         }
         
         // TODO: Add token auth
diff --git a/Common/Utils/AuthUtils.cs b/Common/Utils/AuthUtils.cs
new file mode 100644
index 00000000..b7e74320
--- /dev/null
+++ b/Common/Utils/AuthUtils.cs
@@ -0,0 +1,112 @@
+using OpenShock.Common.Constants;
+using System.Diagnostics.CodeAnalysis;
+
+namespace OpenShock.Common.Utils;
+
+public static class AuthUtils
+{
+    private static readonly string[] TokenHeaderNames = [
+        AuthConstants.AuthTokenHeaderName,
+        "Open-Shock-Token",
+        "ShockLinkToken"
+    ];
+    private static readonly string[] DeviceTokenHeaderNames = [
+        AuthConstants.DeviceAuthTokenHeaderName,
+        "Device-Token"
+    ];
+
+    public static void SetSessionKeyCookie(this HttpContext context, string sessionKey, string domain)
+    {
+        context.Response.Cookies.Append(AuthConstants.SessionCookieName, sessionKey, new CookieOptions
+        {
+            Expires = new DateTimeOffset(DateTime.UtcNow.Add(Duration.LoginSessionLifetime)),
+            Secure = true,
+            HttpOnly = true,
+            SameSite = SameSiteMode.Strict,
+            Domain = domain
+        });
+    }
+
+    public static void RemoveSessionKeyCookie(this HttpContext context, string domain)
+    {
+        context.Response.Cookies.Append(AuthConstants.SessionCookieName, string.Empty, new CookieOptions
+        {
+            Expires = DateTime.Now.AddDays(-1),
+            Secure = true,
+            HttpOnly = true,
+            SameSite = SameSiteMode.Strict,
+            Domain = domain
+        });
+    }
+
+    public static bool TryGetSessionKeyFromCookie(this HttpContext context, [NotNullWhen(true)] out string? sessionKey)
+    {
+        if (context.Request.Cookies.TryGetValue(AuthConstants.SessionCookieName, out sessionKey) && !string.IsNullOrEmpty(sessionKey))
+        {
+            return true;
+        }
+
+        sessionKey = null;
+
+        return false;
+    }
+
+    public static bool TryGetSessionAuthFromHeader(this HttpContext context, [NotNullWhen(true)] out string? sessionKey)
+    {
+        if (context.Request.Headers.TryGetValue(AuthConstants.SessionHeaderName, out var value) && !string.IsNullOrEmpty(value))
+        {
+            sessionKey = value!;
+
+            return true;
+        }
+
+        sessionKey = null;
+
+        return false;
+    }
+
+    public static bool TryGetSessionKey(this HttpContext context, [NotNullWhen(true)] out string? sessionKey)
+    {
+        if (TryGetSessionKeyFromCookie(context, out sessionKey)) return true;
+        if (TryGetSessionAuthFromHeader(context, out sessionKey)) return true;
+
+        sessionKey = null;
+
+        return false;
+    }
+
+    public static bool TryGetAuthTokenFromHeader(this HttpContext context, [NotNullWhen(true)] out string? token)
+    {
+        foreach (string header in TokenHeaderNames)
+        {
+            if (context.Request.Headers.TryGetValue(header, out var value) && !string.IsNullOrEmpty(value))
+            {
+                token = value!;
+
+                return true;
+            }
+        }
+
+        token = null;
+
+        return false;
+    }
+
+    public static bool TryGetDeviceTokenFromHeader(this HttpContext context, [NotNullWhen(true)] out string? token)
+    {
+        foreach (string header in DeviceTokenHeaderNames)
+        {
+            if (context.Request.Headers.TryGetValue(header, out var value) && !string.IsNullOrEmpty(value))
+            {
+                token = value!;
+
+                return true;
+            }
+        }
+
+        token = null;
+
+        return false;
+    }
+
+}
diff --git a/Cron/DashboardAdminAuth.cs b/Cron/DashboardAdminAuth.cs
index 4fcdd87f..6fa03c7b 100644
--- a/Cron/DashboardAdminAuth.cs
+++ b/Cron/DashboardAdminAuth.cs
@@ -3,6 +3,7 @@
 using OpenShock.Common.Models;
 using OpenShock.Common.OpenShockDb;
 using OpenShock.Common.Redis;
+using OpenShock.Common.Utils;
 using Redis.OM.Contracts;
 using Redis.OM.Searching;
 
@@ -17,11 +18,14 @@ public async Task<bool> AuthorizeAsync(DashboardContext context)
         var redis = httpContext.RequestServices.GetRequiredService<IRedisConnectionProvider>();
         var userSessions = redis.RedisCollection<LoginSession>(false);
         var db = httpContext.RequestServices.GetRequiredService<OpenShockContext>();
-        
-        if (httpContext.Request.Cookies.TryGetValue("openShockSession", out var sessionKeyCookie) &&
-            !string.IsNullOrEmpty(sessionKeyCookie))
-            if (await SessionAuthAdmin(sessionKeyCookie!, userSessions, db))
+
+        if (httpContext.TryGetSessionKeyFromCookie(out var sessionKeyCookie))
+        {
+            if (await SessionAuthAdmin(sessionKeyCookie, userSessions, db))
+            {
                 return true;
+            }
+        }
 
         await context.Response.WriteAsync("Unauthorized, you need to be authenticated as admin to access this page.");
         
diff --git a/LiveControlGateway/Startup.cs b/LiveControlGateway/Startup.cs
index 18de17c7..71174eb4 100644
--- a/LiveControlGateway/Startup.cs
+++ b/LiveControlGateway/Startup.cs
@@ -15,6 +15,7 @@
 using OpenShock.Common.Authentication;
 using OpenShock.Common.Authentication.Handlers;
 using OpenShock.Common.Authentication.Services;
+using OpenShock.Common.Constants;
 using OpenShock.Common.ExceptionHandle;
 using OpenShock.Common.JsonSerialization;
 using OpenShock.Common.Models;
@@ -201,9 +202,9 @@ public void ConfigureServices(IServiceCollection services)
                 options.ParameterFilter<AttributeFilter>();
                 options.OperationFilter<AttributeFilter>();
                 options.IncludeXmlComments(Path.Combine(AppContext.BaseDirectory, "OpenShock.LiveControlGateway.xml"));
-                options.AddSecurityDefinition("OpenShockToken", new OpenApiSecurityScheme
+                options.AddSecurityDefinition(AuthConstants.AuthTokenHeaderName, new OpenApiSecurityScheme
                 {
-                    Name = "OpenShockToken",
+                    Name = AuthConstants.AuthTokenHeaderName,
                     Type = SecuritySchemeType.ApiKey,
                     Scheme = "ApiKeyAuth",
                     In = ParameterLocation.Header,
@@ -217,7 +218,7 @@ public void ConfigureServices(IServiceCollection services)
                             Reference = new OpenApiReference
                             {
                                 Type = ReferenceType.SecurityScheme,
-                                Id = "OpenShockToken"
+                                Id = AuthConstants.AuthTokenHeaderName
                             }
                         },
                         Array.Empty<string>()