mirror of
https://github.com/azaion/admin.git
synced 2026-06-22 03:01:09 +00:00
[AZ-536] [AZ-537] [AZ-538] Argon2id, login rate limit + lockout, CORS https-only
AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106). Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384 hashes detected by prefix and lazily re-hashed on next successful login. Verify uses CryptographicOperations.FixedTimeEquals on both formats. AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core RateLimiter, 10/60s default — production-tight) plus DB-backed per-account limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users row. Adds a generic audit_events table with INSERT/SELECT-only grants for the app role so the per-account count is queryable and admins cannot erase their own forensic trail. BusinessExceptionHandler maps AccountLocked to 423 and LoginRateLimited to 429, both with Retry-After. AZ-538 — drop the http://admin.azaion.com origin from CORS, gate UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload). Test infra: Npgsql in the e2e project + a DbHelper for direct DB inspection used by the AZ-536/537 ACs. appsettings.Development.json raises PerIpPermitLimit to 1000 so the suite (~270 logins from one container IP) doesn't false-trip the limiter. Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production). Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low. See _docs/03_implementation/reviews/batch_01_cycle2_review.md. Closes AZ-530 epic batch 1 of 4. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
@@ -0,0 +1,59 @@
|
||||
using Azaion.Common.Database;
|
||||
using Azaion.Common.Entities;
|
||||
using LinqToDB;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
|
||||
namespace Azaion.Services;
|
||||
|
||||
public interface IAuditLog
|
||||
{
|
||||
Task RecordLoginFailed (string email, CancellationToken ct = default);
|
||||
Task RecordLoginLockout(string email, CancellationToken ct = default);
|
||||
Task RecordLoginSuccess(string email, CancellationToken ct = default);
|
||||
|
||||
/// <summary>
|
||||
/// Number of `login_failed` rows for the given email within the last <paramref name="windowSeconds"/>.
|
||||
/// Used by the per-account sliding-window rate limit (AZ-537 AC-2).
|
||||
/// </summary>
|
||||
Task<int> CountRecentFailedLogins(string email, int windowSeconds, CancellationToken ct = default);
|
||||
}
|
||||
|
||||
public class AuditLog(IDbFactory dbFactory, IHttpContextAccessor httpContextAccessor) : IAuditLog
|
||||
{
|
||||
public Task RecordLoginFailed (string email, CancellationToken ct = default)
|
||||
=> Insert(AuditEventTypes.LoginFailed, email, ct);
|
||||
|
||||
public Task RecordLoginLockout(string email, CancellationToken ct = default)
|
||||
=> Insert(AuditEventTypes.LoginLockout, email, ct);
|
||||
|
||||
public Task RecordLoginSuccess(string email, CancellationToken ct = default)
|
||||
=> Insert(AuditEventTypes.LoginSuccess, email, ct);
|
||||
|
||||
public async Task<int> CountRecentFailedLogins(string email, int windowSeconds, CancellationToken ct = default)
|
||||
{
|
||||
var cutoff = DateTime.UtcNow.AddSeconds(-windowSeconds);
|
||||
var normalised = email.ToLowerInvariant();
|
||||
return await dbFactory.Run(async db =>
|
||||
await db.AuditEvents
|
||||
.Where(e => e.EventType == AuditEventTypes.LoginFailed
|
||||
&& e.Email == normalised
|
||||
&& e.OccurredAt >= cutoff)
|
||||
.CountAsync(token: ct));
|
||||
}
|
||||
|
||||
private async Task Insert(string eventType, string email, CancellationToken ct)
|
||||
{
|
||||
var ip = httpContextAccessor.HttpContext?.Connection.RemoteIpAddress?.ToString();
|
||||
var normalised = email.ToLowerInvariant();
|
||||
await dbFactory.RunAdmin(async db =>
|
||||
{
|
||||
await db.InsertAsync(new AuditEvent
|
||||
{
|
||||
EventType = eventType,
|
||||
OccurredAt = DateTime.UtcNow,
|
||||
Email = normalised,
|
||||
Ip = ip
|
||||
}, token: ct);
|
||||
});
|
||||
}
|
||||
}
|
||||
@@ -15,6 +15,7 @@
|
||||
</ItemGroup>
|
||||
|
||||
<ItemGroup>
|
||||
<PackageReference Include="Konscious.Security.Cryptography.Argon2" Version="1.3.1" />
|
||||
<PackageReference Include="LazyCache.AspNetCore" Version="2.4.0" />
|
||||
<PackageReference Include="Newtonsoft.Json" Version="13.0.4" />
|
||||
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.1.2" />
|
||||
|
||||
+126
-2
@@ -1,10 +1,134 @@
|
||||
using System.Security.Cryptography;
|
||||
using System.Text;
|
||||
using Konscious.Security.Cryptography;
|
||||
|
||||
namespace Azaion.Services;
|
||||
|
||||
// Password hashing — Argon2id (RFC 9106) for new + lazy migration of legacy SHA-384.
|
||||
// Stored format: PHC string `$argon2id$v=19$m=<KiB>,t=<iters>,p=<lanes>$<salt-b64>$<hash-b64>`.
|
||||
// Legacy format: 64-char base64 of unsalted SHA-384 (no `$` prefix). Detected by prefix.
|
||||
//
|
||||
// AZ-536 (Epic AZ-530, CMMC IA.L2-3.5.10).
|
||||
public static class Security
|
||||
{
|
||||
public static string ToHash(this string str) =>
|
||||
Convert.ToBase64String(SHA384.HashData(Encoding.UTF8.GetBytes(str)));
|
||||
// Conservative defaults per RFC 9106 §4. Bump in the future and the verify path
|
||||
// will surface NeedsRehash=true for any hash whose params are weaker.
|
||||
private const int Argon2MemoryKib = 65536; // 64 MiB
|
||||
private const int Argon2Iterations = 3;
|
||||
private const int Argon2Parallelism = 1;
|
||||
private const int SaltLengthBytes = 16; // 128 bits — RFC 9106 recommended minimum
|
||||
private const int HashLengthBytes = 32; // 256 bits
|
||||
private const string PhcPrefix = "$argon2id$";
|
||||
private const int LegacySha384B64Length = 64; // Convert.ToBase64String(48 bytes) == 64 chars
|
||||
|
||||
public sealed record VerifyResult(bool Valid, bool NeedsRehash);
|
||||
|
||||
public static string HashPassword(string plaintext)
|
||||
{
|
||||
if (plaintext == null) throw new ArgumentNullException(nameof(plaintext));
|
||||
|
||||
var salt = RandomNumberGenerator.GetBytes(SaltLengthBytes);
|
||||
var hash = ComputeArgon2id(plaintext, salt, Argon2MemoryKib, Argon2Iterations, Argon2Parallelism);
|
||||
return EncodePhc(Argon2MemoryKib, Argon2Iterations, Argon2Parallelism, salt, hash);
|
||||
}
|
||||
|
||||
public static VerifyResult VerifyPassword(string plaintext, string stored)
|
||||
{
|
||||
if (plaintext == null) throw new ArgumentNullException(nameof(plaintext));
|
||||
if (string.IsNullOrEmpty(stored)) return new VerifyResult(Valid: false, NeedsRehash: false);
|
||||
|
||||
if (stored.StartsWith(PhcPrefix, StringComparison.Ordinal))
|
||||
{
|
||||
if (!TryDecodePhc(stored, out var p))
|
||||
return new VerifyResult(Valid: false, NeedsRehash: false);
|
||||
|
||||
var candidate = ComputeArgon2id(plaintext, p.Salt, p.MemoryKib, p.Iterations, p.Parallelism);
|
||||
var valid = CryptographicOperations.FixedTimeEquals(candidate, p.Hash);
|
||||
// NeedsRehash true if defaults are stronger than the stored params — supports later upgrades.
|
||||
var needsRehash = valid && (p.MemoryKib < Argon2MemoryKib
|
||||
|| p.Iterations < Argon2Iterations
|
||||
|| p.Parallelism < Argon2Parallelism);
|
||||
return new VerifyResult(valid, needsRehash);
|
||||
}
|
||||
|
||||
if (IsLegacySha384(stored))
|
||||
{
|
||||
var legacyHash = SHA384.HashData(Encoding.UTF8.GetBytes(plaintext));
|
||||
var legacyB64Bytes = Encoding.ASCII.GetBytes(Convert.ToBase64String(legacyHash));
|
||||
var storedBytes = Encoding.ASCII.GetBytes(stored);
|
||||
var valid = storedBytes.Length == legacyB64Bytes.Length
|
||||
&& CryptographicOperations.FixedTimeEquals(storedBytes, legacyB64Bytes);
|
||||
return new VerifyResult(valid, NeedsRehash: valid);
|
||||
}
|
||||
|
||||
return new VerifyResult(Valid: false, NeedsRehash: false);
|
||||
}
|
||||
|
||||
private static bool IsLegacySha384(string stored) =>
|
||||
stored.Length == LegacySha384B64Length && !stored.StartsWith('$');
|
||||
|
||||
private static byte[] ComputeArgon2id(string plaintext, byte[] salt, int memoryKib, int iterations, int parallelism)
|
||||
{
|
||||
using var argon = new Argon2id(Encoding.UTF8.GetBytes(plaintext))
|
||||
{
|
||||
Salt = salt,
|
||||
MemorySize = memoryKib,
|
||||
Iterations = iterations,
|
||||
DegreeOfParallelism = parallelism
|
||||
};
|
||||
return argon.GetBytes(HashLengthBytes);
|
||||
}
|
||||
|
||||
private static string EncodePhc(int memoryKib, int iterations, int parallelism, byte[] salt, byte[] hash) =>
|
||||
$"$argon2id$v=19$m={memoryKib},t={iterations},p={parallelism}${ToB64NoPad(salt)}${ToB64NoPad(hash)}";
|
||||
|
||||
private static bool TryDecodePhc(string stored, out PhcParams parsed)
|
||||
{
|
||||
parsed = default!;
|
||||
// $argon2id$v=19$m=65536,t=3,p=1$<salt>$<hash>
|
||||
var parts = stored.Split('$');
|
||||
if (parts.Length != 6) return false;
|
||||
if (parts[1] != "argon2id") return false;
|
||||
if (parts[2] != "v=19") return false;
|
||||
|
||||
var paramFields = parts[3].Split(',');
|
||||
if (paramFields.Length != 3) return false;
|
||||
if (!TryParseKv(paramFields[0], "m", out var m)) return false;
|
||||
if (!TryParseKv(paramFields[1], "t", out var t)) return false;
|
||||
if (!TryParseKv(paramFields[2], "p", out var p)) return false;
|
||||
|
||||
if (!TryFromB64NoPad(parts[4], out var salt)) return false;
|
||||
if (!TryFromB64NoPad(parts[5], out var hash)) return false;
|
||||
|
||||
parsed = new PhcParams(m, t, p, salt, hash);
|
||||
return true;
|
||||
}
|
||||
|
||||
private static bool TryParseKv(string field, string key, out int value)
|
||||
{
|
||||
value = 0;
|
||||
var eq = field.IndexOf('=');
|
||||
if (eq <= 0 || field[..eq] != key) return false;
|
||||
return int.TryParse(field.AsSpan(eq + 1), out value) && value > 0;
|
||||
}
|
||||
|
||||
private static string ToB64NoPad(byte[] bytes) =>
|
||||
Convert.ToBase64String(bytes).TrimEnd('=');
|
||||
|
||||
private static bool TryFromB64NoPad(string s, out byte[] bytes)
|
||||
{
|
||||
var padded = s.Length % 4 == 0 ? s : s + new string('=', 4 - s.Length % 4);
|
||||
try
|
||||
{
|
||||
bytes = Convert.FromBase64String(padded);
|
||||
return true;
|
||||
}
|
||||
catch (FormatException)
|
||||
{
|
||||
bytes = Array.Empty<byte>();
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
private readonly record struct PhcParams(int MemoryKib, int Iterations, int Parallelism, byte[] Salt, byte[] Hash);
|
||||
}
|
||||
|
||||
+115
-12
@@ -1,10 +1,12 @@
|
||||
using System.Security.Cryptography;
|
||||
using Azaion.Common;
|
||||
using Azaion.Common.Configs;
|
||||
using Azaion.Common.Database;
|
||||
using Azaion.Common.Entities;
|
||||
using Azaion.Common.Extensions;
|
||||
using Azaion.Common.Requests;
|
||||
using LinqToDB;
|
||||
using Microsoft.Extensions.Options;
|
||||
using Npgsql;
|
||||
|
||||
namespace Azaion.Services;
|
||||
@@ -22,8 +24,14 @@ public interface IUserService
|
||||
Task RemoveUser(string email, CancellationToken ct = default);
|
||||
}
|
||||
|
||||
public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
|
||||
public class UserService(
|
||||
IDbFactory dbFactory,
|
||||
ICache cache,
|
||||
IAuditLog auditLog,
|
||||
IOptions<AuthConfig> authConfig) : IUserService
|
||||
{
|
||||
private readonly AuthConfig _auth = authConfig.Value;
|
||||
|
||||
private const string DeviceEmailPrefix = "azj-";
|
||||
private const string DeviceEmailDomain = "@azaion.com";
|
||||
private const int SerialNumberStart = 4; // index of NNNN inside "azj-NNNN..." (length of DeviceEmailPrefix)
|
||||
@@ -40,7 +48,7 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
|
||||
{
|
||||
Id = Guid.NewGuid(),
|
||||
Email = request.Email,
|
||||
PasswordHash = request.Password.ToHash(),
|
||||
PasswordHash = Security.HashPassword(request.Password),
|
||||
Role = request.Role,
|
||||
CreatedAt = DateTime.UtcNow,
|
||||
IsEnabled = true
|
||||
@@ -105,22 +113,117 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
|
||||
}
|
||||
|
||||
|
||||
public async Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default) =>
|
||||
await dbFactory.Run(async db =>
|
||||
public async Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default)
|
||||
{
|
||||
var user = await dbFactory.Run(async db =>
|
||||
await db.Users.FirstOrDefaultAsync(x => x.Email == request.Email, token: ct));
|
||||
|
||||
if (user == null)
|
||||
throw new BusinessException(ExceptionEnum.NoEmailFound);
|
||||
|
||||
// AZ-537 AC-3 — active lockout takes precedence over the password check; even
|
||||
// a correct password is rejected with 423 Locked until the lockout expires.
|
||||
if (user.LockoutUntil is { } until && until > DateTime.UtcNow)
|
||||
{
|
||||
var user = await db.Users.FirstOrDefaultAsync(x => x.Email == request.Email, token: ct);
|
||||
if (user == null)
|
||||
throw new BusinessException(ExceptionEnum.NoEmailFound);
|
||||
var remaining = (int)Math.Ceiling((until - DateTime.UtcNow).TotalSeconds);
|
||||
throw new BusinessException(ExceptionEnum.AccountLocked, Math.Max(remaining, 1));
|
||||
}
|
||||
|
||||
if (request.Password.ToHash() != user.PasswordHash)
|
||||
throw new BusinessException(ExceptionEnum.WrongPassword);
|
||||
// AZ-537 AC-2 — per-account sliding-window rate limit. Counts only failed
|
||||
// logins in the recent window so legitimate retries after success aren't punished.
|
||||
var recentFailures = await auditLog.CountRecentFailedLogins(
|
||||
user.Email, _auth.RateLimit.PerAccountWindowSeconds, ct);
|
||||
if (recentFailures >= _auth.RateLimit.PerAccountPermitLimit)
|
||||
throw new BusinessException(ExceptionEnum.LoginRateLimited, _auth.RateLimit.PerAccountWindowSeconds);
|
||||
|
||||
if (!user.IsEnabled)
|
||||
throw new BusinessException(ExceptionEnum.UserDisabled);
|
||||
var verify = Security.VerifyPassword(request.Password, user.PasswordHash);
|
||||
if (!verify.Valid)
|
||||
{
|
||||
await RegisterFailedLogin(user, ct);
|
||||
throw new BusinessException(ExceptionEnum.WrongPassword);
|
||||
}
|
||||
|
||||
return user;
|
||||
if (!user.IsEnabled)
|
||||
throw new BusinessException(ExceptionEnum.UserDisabled);
|
||||
|
||||
await RegisterSuccessfulLogin(user, request.Password, verify.NeedsRehash, ct);
|
||||
return user;
|
||||
}
|
||||
|
||||
// Lazy migration of legacy SHA-384 hashes (and future Argon2 param upgrades).
|
||||
// Conditional on the original hash to avoid clobbering a concurrent rehash from
|
||||
// a parallel login of the same account.
|
||||
private async Task RegisterSuccessfulLogin(User user, string plaintext, bool rehash, CancellationToken ct)
|
||||
{
|
||||
var newHash = rehash ? Security.HashPassword(plaintext) : null;
|
||||
var oldHash = user.PasswordHash;
|
||||
|
||||
await dbFactory.RunAdmin(async db =>
|
||||
{
|
||||
if (newHash != null)
|
||||
{
|
||||
await db.Users.UpdateAsync(
|
||||
u => u.Id == user.Id && u.PasswordHash == oldHash,
|
||||
u => new User
|
||||
{
|
||||
PasswordHash = newHash,
|
||||
FailedLoginCount = 0,
|
||||
LockoutUntil = null
|
||||
},
|
||||
token: ct);
|
||||
}
|
||||
else
|
||||
{
|
||||
await db.Users.UpdateAsync(
|
||||
u => u.Id == user.Id,
|
||||
u => new User
|
||||
{
|
||||
FailedLoginCount = 0,
|
||||
LockoutUntil = null
|
||||
},
|
||||
token: ct);
|
||||
}
|
||||
});
|
||||
|
||||
if (newHash != null)
|
||||
user.PasswordHash = newHash;
|
||||
user.FailedLoginCount = 0;
|
||||
user.LockoutUntil = null;
|
||||
cache.Invalidate(User.GetCacheKey(user.Email));
|
||||
|
||||
await auditLog.RecordLoginSuccess(user.Email, ct);
|
||||
}
|
||||
|
||||
private async Task RegisterFailedLogin(User user, CancellationToken ct)
|
||||
{
|
||||
await auditLog.RecordLoginFailed(user.Email, ct);
|
||||
|
||||
var newCount = user.FailedLoginCount + 1;
|
||||
var triggersLock = newCount >= _auth.Lockout.MaxAttempts;
|
||||
DateTime? newLockoutUntil = triggersLock
|
||||
? DateTime.UtcNow.AddSeconds(_auth.Lockout.DurationSeconds)
|
||||
: user.LockoutUntil;
|
||||
|
||||
await dbFactory.RunAdmin(async db =>
|
||||
await db.Users.UpdateAsync(
|
||||
u => u.Id == user.Id,
|
||||
u => new User
|
||||
{
|
||||
FailedLoginCount = newCount,
|
||||
LockoutUntil = newLockoutUntil
|
||||
},
|
||||
token: ct));
|
||||
|
||||
cache.Invalidate(User.GetCacheKey(user.Email));
|
||||
|
||||
if (triggersLock)
|
||||
{
|
||||
await auditLog.RecordLoginLockout(user.Email, ct);
|
||||
// Promote a wrong-password into a lockout response so the caller learns the
|
||||
// account is locked the moment the threshold is crossed.
|
||||
throw new BusinessException(ExceptionEnum.AccountLocked, _auth.Lockout.DurationSeconds);
|
||||
}
|
||||
}
|
||||
|
||||
public async Task UpdateQueueOffsets(string email, UserQueueOffsets queueOffsets, CancellationToken ct = default)
|
||||
{
|
||||
|
||||
Reference in New Issue
Block a user