azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 22:51:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-536] [AZ-537] [AZ-538] Argon2id, login rate limit + lockout, CORS https-only
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details

Browse Source 
AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106).
Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384
hashes detected by prefix and lazily re-hashed on next successful login.
Verify uses CryptographicOperations.FixedTimeEquals on both formats.

AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core
RateLimiter, 10/60s default — production-tight) plus DB-backed per-account
limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users
row. Adds a generic audit_events table with INSERT/SELECT-only grants for
the app role so the per-account count is queryable and admins cannot erase
their own forensic trail. BusinessExceptionHandler maps AccountLocked to
423 and LoginRateLimited to 429, both with Retry-After.

AZ-538 — drop the http://admin.azaion.com origin from CORS, gate
UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload).

Test infra: Npgsql in the e2e project + a DbHelper for direct DB
inspection used by the AZ-536/537 ACs. appsettings.Development.json
raises PerIpPermitLimit to 1000 so the suite (~270 logins from one
container IP) doesn't false-trip the limiter.

Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct
client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production).

Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low.
See _docs/03_implementation/reviews/batch_01_cycle2_review.md.

Closes AZ-530 epic batch 1 of 4.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-14 04:52:31 +03:00
parent 9679b5636f
commit 491993f9c1
31 changed files with 1327 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Azaion.Services/UserService.cs
+115 -12
View File
@@ -1,10 +1,12 @@
using System.Security.Cryptography;
using Azaion.Common;
using Azaion.Common.Configs;
using Azaion.Common.Database;
using Azaion.Common.Entities;
using Azaion.Common.Extensions;
using Azaion.Common.Requests;
using LinqToDB;
using Microsoft.Extensions.Options;
using Npgsql;
namespace Azaion.Services;
@@ -22,8 +24,14 @@ public interface IUserService
Task RemoveUser(string email, CancellationToken ct = default);
}
public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
public class UserService(
IDbFactory dbFactory,
ICache cache,
IAuditLog auditLog,
IOptions<AuthConfig> authConfig) : IUserService
{
private readonly AuthConfig _auth = authConfig.Value;
private const string DeviceEmailPrefix = "azj-";
private const string DeviceEmailDomain = "@azaion.com";
private const int SerialNumberStart = 4; // index of NNNN inside "azj-NNNN..." (length of DeviceEmailPrefix)
@@ -40,7 +48,7 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
{
Id = Guid.NewGuid(),
Email = request.Email,
PasswordHash = request.Password.ToHash(),
PasswordHash = Security.HashPassword(request.Password),
Role = request.Role,
CreatedAt = DateTime.UtcNow,
IsEnabled = true
@@ -105,22 +113,117 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
}
public async Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default) =>
await dbFactory.Run(async db =>
public async Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default)
{
var user = await dbFactory.Run(async db =>
await db.Users.FirstOrDefaultAsync(x => x.Email == request.Email, token: ct));
if (user == null)
throw new BusinessException(ExceptionEnum.NoEmailFound);
// AZ-537 AC-3 — active lockout takes precedence over the password check; even
// a correct password is rejected with 423 Locked until the lockout expires.
if (user.LockoutUntil is { } until && until > DateTime.UtcNow)
{
var user = await db.Users.FirstOrDefaultAsync(x => x.Email == request.Email, token: ct);
if (user == null)
throw new BusinessException(ExceptionEnum.NoEmailFound);
var remaining = (int)Math.Ceiling((until - DateTime.UtcNow).TotalSeconds);
throw new BusinessException(ExceptionEnum.AccountLocked, Math.Max(remaining, 1));
}
if (request.Password.ToHash() != user.PasswordHash)
throw new BusinessException(ExceptionEnum.WrongPassword);
// AZ-537 AC-2 — per-account sliding-window rate limit. Counts only failed
// logins in the recent window so legitimate retries after success aren't punished.
var recentFailures = await auditLog.CountRecentFailedLogins(
user.Email, _auth.RateLimit.PerAccountWindowSeconds, ct);
if (recentFailures >= _auth.RateLimit.PerAccountPermitLimit)
throw new BusinessException(ExceptionEnum.LoginRateLimited, _auth.RateLimit.PerAccountWindowSeconds);
if (!user.IsEnabled)
throw new BusinessException(ExceptionEnum.UserDisabled);
var verify = Security.VerifyPassword(request.Password, user.PasswordHash);
if (!verify.Valid)
{
await RegisterFailedLogin(user, ct);
throw new BusinessException(ExceptionEnum.WrongPassword);
}
return user;
if (!user.IsEnabled)
throw new BusinessException(ExceptionEnum.UserDisabled);
await RegisterSuccessfulLogin(user, request.Password, verify.NeedsRehash, ct);
return user;
}
// Lazy migration of legacy SHA-384 hashes (and future Argon2 param upgrades).
// Conditional on the original hash to avoid clobbering a concurrent rehash from
// a parallel login of the same account.
private async Task RegisterSuccessfulLogin(User user, string plaintext, bool rehash, CancellationToken ct)
{
var newHash = rehash ? Security.HashPassword(plaintext) : null;
var oldHash = user.PasswordHash;
await dbFactory.RunAdmin(async db =>
{
if (newHash != null)
{
await db.Users.UpdateAsync(
u => u.Id == user.Id && u.PasswordHash == oldHash,
u => new User
{
PasswordHash = newHash,
FailedLoginCount = 0,
LockoutUntil = null
},
token: ct);
}
else
{
await db.Users.UpdateAsync(
u => u.Id == user.Id,
u => new User
{
FailedLoginCount = 0,
LockoutUntil = null
},
token: ct);
}
});
if (newHash != null)
user.PasswordHash = newHash;
user.FailedLoginCount = 0;
user.LockoutUntil = null;
cache.Invalidate(User.GetCacheKey(user.Email));
await auditLog.RecordLoginSuccess(user.Email, ct);
}
private async Task RegisterFailedLogin(User user, CancellationToken ct)
{
await auditLog.RecordLoginFailed(user.Email, ct);
var newCount = user.FailedLoginCount + 1;
var triggersLock = newCount >= _auth.Lockout.MaxAttempts;
DateTime? newLockoutUntil = triggersLock
? DateTime.UtcNow.AddSeconds(_auth.Lockout.DurationSeconds)
: user.LockoutUntil;
await dbFactory.RunAdmin(async db =>
await db.Users.UpdateAsync(
u => u.Id == user.Id,
u => new User
{
FailedLoginCount = newCount,
LockoutUntil = newLockoutUntil
},
token: ct));
cache.Invalidate(User.GetCacheKey(user.Email));
if (triggersLock)
{
await auditLog.RecordLoginLockout(user.Email, ct);
// Promote a wrong-password into a lockout response so the caller learns the
// account is locked the moment the threshold is crossed.
throw new BusinessException(ExceptionEnum.AccountLocked, _auth.Lockout.DurationSeconds);
}
}
public async Task UpdateQueueOffsets(string email, UserQueueOffsets queueOffsets, CancellationToken ct = default)
{