[AZ-536] [AZ-537] [AZ-538] Argon2id, login rate limit + lockout, CORS https-only

AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106). Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384 hashes detected by prefix and lazily re-hashed on next successful login. Verify uses CryptographicOperations.FixedTimeEquals on both formats. AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core RateLimiter, 10/60s default — production-tight) plus DB-backed per-account limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users row. Adds a generic audit_events table with INSERT/SELECT-only grants for the app role so the per-account count is queryable and admins cannot erase their own forensic trail. BusinessExceptionHandler maps AccountLocked to 423 and LoginRateLimited to 429, both with Retry-After. AZ-538 — drop the http://admin.azaion.com origin from CORS, gate UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload). Test infra: Npgsql in the e2e project + a DbHelper for direct DB inspection used by the AZ-536/537 ACs. appsettings.Development.json raises PerIpPermitLimit to 1000 so the suite (~270 logins from one container IP) doesn't false-trip the limiter. Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production). Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low. See _docs/03_implementation/reviews/batch_01_cycle2_review.md. Closes AZ-530 epic batch 1 of 4. Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-21 10:21:10 +00:00 · 2026-05-14 04:52:31 +03:00
parent 9679b5636f
commit 491993f9c1
31 changed files with 1327 additions and 36 deletions
@@ -0,0 +1,117 @@
+using System.Globalization;
+using Npgsql;
+
+namespace Azaion.E2E.Helpers;
+
+/// <summary>
+/// Thin wrapper around <see cref="NpgsqlConnection"/> for tests that must inspect
+/// or seed rows directly. Used by AZ-536 (password hash format) and AZ-537
+/// (lockout state, audit_events) acceptance tests.
+/// </summary>
+public sealed class DbHelper
+{
+    private readonly string _connectionString;
+
+    public DbHelper(string connectionString) => _connectionString = connectionString;
+
+    public async Task<string?> GetPasswordHash(string email, CancellationToken ct = default)
+    {
+        await using var conn = await OpenAsync(ct);
+        await using var cmd = new NpgsqlCommand(
+            "SELECT password_hash FROM public.users WHERE email = @e", conn);
+        cmd.Parameters.AddWithValue("e", email);
+        var raw = await cmd.ExecuteScalarAsync(ct);
+        return raw == null || raw is DBNull ? null : (string)raw;
+    }
+
+    public async Task<(int FailedLoginCount, DateTime? LockoutUntil)> GetLockoutState(string email, CancellationToken ct = default)
+    {
+        await using var conn = await OpenAsync(ct);
+        await using var cmd = new NpgsqlCommand(
+            "SELECT failed_login_count, lockout_until FROM public.users WHERE email = @e", conn);
+        cmd.Parameters.AddWithValue("e", email);
+        await using var rd = await cmd.ExecuteReaderAsync(ct);
+        if (!await rd.ReadAsync(ct))
+            throw new InvalidOperationException($"User {email} not found.");
+        var failed = rd.GetInt32(0);
+        DateTime? lockout = rd.IsDBNull(1) ? null : DateTime.SpecifyKind(rd.GetDateTime(1), DateTimeKind.Utc);
+        return (failed, lockout);
+    }
+
+    public async Task<int> CountAuditEvents(string eventType, string email, CancellationToken ct = default)
+    {
+        await using var conn = await OpenAsync(ct);
+        await using var cmd = new NpgsqlCommand(
+            "SELECT COUNT(*) FROM public.audit_events WHERE event_type = @t AND email = @e", conn);
+        cmd.Parameters.AddWithValue("t", eventType);
+        cmd.Parameters.AddWithValue("e", email);
+        var raw = await cmd.ExecuteScalarAsync(ct);
+        return Convert.ToInt32(raw, CultureInfo.InvariantCulture);
+    }
+
+    /// <summary>
+    /// Inject a user with a known legacy SHA-384 hash so the lazy-migration path can be
+    /// exercised end-to-end without going through the Argon2id-using registration API.
+    /// </summary>
+    public async Task SeedLegacyShaUser(Guid id, string email, string sha384HashBase64, string role = "ResourceUploader", CancellationToken ct = default)
+    {
+        await using var conn = await OpenAsync(ct);
+        await using var cmd = new NpgsqlCommand(@"
+            INSERT INTO public.users (id, email, password_hash, role, created_at, is_enabled, failed_login_count)
+            VALUES (@id, @email, @hash, @role, now(), true, 0)
+            ON CONFLICT (email) DO UPDATE
+            SET password_hash      = excluded.password_hash,
+                failed_login_count = 0,
+                lockout_until      = NULL,
+                is_enabled         = true", conn);
+        cmd.Parameters.AddWithValue("id",    id);
+        cmd.Parameters.AddWithValue("email", email);
+        cmd.Parameters.AddWithValue("hash",  sha384HashBase64);
+        cmd.Parameters.AddWithValue("role",  role);
+        await cmd.ExecuteNonQueryAsync(ct);
+    }
+
+    public async Task DeleteUser(string email, CancellationToken ct = default)
+    {
+        await using var conn = await OpenAsync(ct);
+        await using var cmd = new NpgsqlCommand(
+            "DELETE FROM public.users WHERE email = @e", conn);
+        cmd.Parameters.AddWithValue("e", email);
+        await cmd.ExecuteNonQueryAsync(ct);
+    }
+
+    public async Task DeleteAuditEventsFor(string email, CancellationToken ct = default)
+    {
+        await using var conn = await OpenAsync(ct);
+        await using var cmd = new NpgsqlCommand(
+            "DELETE FROM public.audit_events WHERE email = @e", conn);
+        cmd.Parameters.AddWithValue("e", email);
+        await cmd.ExecuteNonQueryAsync(ct);
+    }
+
+    /// <summary>
+    /// Force-set a lockout deadline so tests don't have to actually trip the threshold
+    /// 10 times to check expiry behavior (AZ-537 AC-5).
+    /// </summary>
+    public async Task SetLockoutUntil(string email, DateTime? lockoutUntilUtc, int failedCount, CancellationToken ct = default)
+    {
+        await using var conn = await OpenAsync(ct);
+        await using var cmd = new NpgsqlCommand(@"
+            UPDATE public.users
+               SET lockout_until      = @until,
+                   failed_login_count = @count
+             WHERE email = @e", conn);
+        cmd.Parameters.AddWithValue("until",
+            (object?)(lockoutUntilUtc?.ToUniversalTime()) ?? DBNull.Value);
+        cmd.Parameters.AddWithValue("count", failedCount);
+        cmd.Parameters.AddWithValue("e",     email);
+        await cmd.ExecuteNonQueryAsync(ct);
+    }
+
+    private async Task<NpgsqlConnection> OpenAsync(CancellationToken ct)
+    {
+        var conn = new NpgsqlConnection(_connectionString);
+        await conn.OpenAsync(ct);
+        return conn;
+    }
+}