don't send hardware hash, calc on the api

2026-04-22 09:26:34 +00:00 · 2025-02-26 16:02:09 +02:00
parent 6d28085b7e
commit 503ddc8c41
9 changed files with 32 additions and 42 deletions
@@ -151,9 +151,9 @@ app.MapPost("/resources/get/{dataFolder?}", //Need to have POST method for secur
        if (user == null)
            throw new UnauthorizedAccessException();
-        await userService.CheckHardware(user, request);
+        var hwHash = await userService.CheckHardwareHash(user, request);
-        var key = Security.MakeEncryptionKey(user.Email, request.Password, request.Hardware.Hash);
+        var key = Security.GetApiEncryptionKey(user.Email, request.Password, hwHash);
        var stream = await resourcesService.GetEncryptedResource(dataFolder, request.FileName, key, cancellationToken);
        return Results.File(stream, "application/octet-stream", request.FileName);
@@ -162,11 +162,7 @@ app.MapPost("/resources/get/{dataFolder?}", //Need to have POST method for secur
 app.MapPut("/resources/reset-hardware",
    async (string email, IUserService userService, ICache cache, CancellationToken cancellationToken) =>
-    {
+        await userService.UpdateHardware(email, new HardwareInfo(), cancellationToken))
        await userService.UpdateHardware(email, new HardwareInfo(), cancellationToken);
        var user = await userService.GetByEmail(email, cancellationToken);
        cache.Invalidate($"{nameof(User)}.{user?.Id}");
    })
    .RequireAuthorization(apiAdminPolicy)
    .WithOpenApi(op => new OpenApiOperation(op){ Summary = "Resets hardware id in case of hardware change"});
@@ -30,6 +30,7 @@ public static class AzaionDbSchemaHolder
                .HasDataType(DataType.Text)
                .HasConversion(v => v.ToString(), v => (RoleEnum)Enum.Parse(typeof(RoleEnum), v));
        builder.Build();
    }
 }
@@ -6,6 +6,4 @@ public class HardwareInfo
    public string GPU        { get; set; } = null!;
    public string MacAddress { get; set; } = null!;
    public string Memory     { get; set; } = null!;
    public string? Hash { get; set; } = null!;
 }
@@ -6,6 +6,7 @@ public class User
    public string   Email        { get; set; } = null!;
    public string   PasswordHash { get; set; } = null!;
    public string?  Hardware     { get; set; }
    public string?  HardwareHash   { get; set; }
    public RoleEnum Role         { get; set; }
    public static string GetCacheKey(string email) => $"{nameof(User)}.{email}";
 }
@@ -1,5 +1,6 @@
 using System.Security.Cryptography;
 using System.Text;
 using Azaion.Common.Entities;
 namespace Azaion.Services;
@@ -10,7 +11,10 @@ public static class Security
    public static string ToHash(this string str) =>
        Convert.ToBase64String(SHA384.HashData(Encoding.UTF8.GetBytes(str)));
-    public static string MakeEncryptionKey(string email, string password, string? hardwareHash) =>
+    public static string GetHWHash(HardwareInfo hardware) =>
        $"Azaion_{hardware.MacAddress}_{hardware.CPU}_{hardware.GPU}".ToHash();
    public static string GetApiEncryptionKey(string email, string password, string? hardwareHash) =>
        $"{email}-{password}-{hardwareHash}-#%@AzaionKey@%#---".ToHash();
    public static async Task EncryptTo(this Stream stream, Stream toStream, string key, CancellationToken cancellationToken = default)
@@ -16,7 +16,7 @@ public interface IUserService
    Task<User?> GetByEmail(string email, CancellationToken cancellationToken = default);
    Task UpdateHardware(string email, HardwareInfo hardwareInfo, CancellationToken cancellationToken = default);
    Task<IEnumerable<User>> GetUsers(string? searchEmail, RoleEnum? searchRole, CancellationToken cancellationToken);
-    Task CheckHardware(User user, GetResourceRequest request);
+    Task<string> CheckHardwareHash(User user, GetResourceRequest request);
 }
 public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
@@ -62,7 +62,8 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
        });
-    public async Task UpdateHardware(string email, HardwareInfo hardware, CancellationToken cancellationToken = default) =>
+    public async Task UpdateHardware(string email, HardwareInfo hardware, CancellationToken cancellationToken = default)
    {
        await dbFactory.RunAdmin(async db =>
        {
            var hardwareStr = JsonConvert.SerializeObject(hardware);
@@ -70,11 +71,11 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
            await db.Users.UpdateAsync(x => x.Email == email,
                u => new User
                {
-                    Hardware = hardwareStr,
+                    Hardware = hardwareStr
                    HardwareHash = hardware.Hash
                }, token: cancellationToken);
        });
-
+        cache.Invalidate(User.GetCacheKey(email));
    }
    public async Task<IEnumerable<User>> GetUsers(string? searchEmail, RoleEnum? searchRole, CancellationToken cancellationToken) =>
        await dbFactory.Run(async db =>
@@ -85,23 +86,22 @@ public class UserService(IDbFactory dbFactory, ICache cache) : IUserService
                    u => u.Role == searchRole)
                .ToListAsync(token: cancellationToken));
-    public async Task CheckHardware(User user, GetResourceRequest request)
+    public async Task<string> CheckHardwareHash(User user, GetResourceRequest request)
    {
-        if (string.IsNullOrEmpty(user.HardwareHash))
+        var requestHWHash = Security.GetHWHash(request.Hardware);
        //For the new users Hardware would be empty, fill it with actual hardware on the very first request
        if (string.IsNullOrEmpty(user.Hardware))
        {
            await UpdateHardware(user.Email, request.Hardware);
-            user.HardwareHash = request.Hardware.Hash;
+            cache.Invalidate(User.GetCacheKey(user.Email));
            return requestHWHash;
        }
-        var hwHash = await dbFactory.Run(async db =>
+        var userHW = JsonConvert.DeserializeObject<HardwareInfo>(user.Hardware);
-            await db.Users
+        var userHWHash = Security.GetHWHash(userHW!);
-                .Where(x => x.Email == user.Email)
+        if (userHWHash != requestHWHash)
                .Select(x => x.HardwareHash)
                .FirstOrDefaultAsync());
        if (hwHash != user.HardwareHash)
            user.HardwareHash = hwHash;
        if (user.HardwareHash != request.Hardware.Hash)
            throw new BusinessException(ExceptionEnum.HardwareIdMismatch);
        return userHWHash;
    }
 }
@@ -18,7 +18,7 @@ public class SecurityTest
        var password = "testpw";
        var hardwareId = "test_hardware_id";
-        var key = Security.MakeEncryptionKey(email, password, hardwareId);
+        var key = Security.GetApiEncryptionKey(email, password, hardwareId);
        var encryptedStream = new MemoryStream();
        await StringToStream(testString).EncryptTo(encryptedStream, key);
@@ -39,7 +39,7 @@ public class SecurityTest
        var password = "testpw";
        var hardwareId = "test_hardware_id";
-        var key = Security.MakeEncryptionKey(username, password, hardwareId);
+        var key = Security.GetApiEncryptionKey(username, password, hardwareId);
        var largeFilePath = "large.txt";
        var largeFileDecryptedPath = "large_decrypted.txt";
@@ -0,0 +1,2 @@
 FROM alpine:latest
 CMD echo hello
@@ -63,18 +63,6 @@ server {
    ssl_certificate /etc/letsencrypt/live/api.azaion.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.azaion.com/privkey.pem;
    location /cdn/ {
      alias /var/www/cdn.azaion.com/;
      expires 3560d;
      access_log_off;
      log_not_found off;
      gzip_static on;
      autoindex on;
      autoindex_exact_size off;
      autoindex_localtime on;
    }
    location / {
        proxy_pass http://localhost:4000;  # API service running on port 4000
        proxy_set_header Host \$host;