# Security Approach

## Authentication

- **Mechanism**: JWT Bearer tokens
- **Signing**: HMAC-SHA256 with symmetric key from `JwtConfig.Secret`
- **Validation**: Issuer, Audience, Lifetime, Signing Key — all validated by ASP.NET Core middleware
- **Token lifetime**: 4 hours (configurable via `JwtConfig.TokenLifetimeHours`)
- **Token claims**: UserID (`NameIdentifier`), Email (`Name`), Role (`Role`)

## Authorization

- **Model**: Role-based access control (RBAC)
- **Policies**:
  - `apiAdminPolicy` — requires `ApiAdmin` role (used on user CRUD + folder clear endpoints)
  - `apiUploaderPolicy` — requires `ResourceUploader` or `ApiAdmin` (defined but never applied — dead code)
  - General `[Authorize]` — any authenticated user (used on resource endpoints, queue offsets)

## Password Security

- **Hashing**: SHA-384 (`Security.ToHash`), Base64-encoded
- **No per-user salt**: All passwords use the same hash function without individual salts
- **No key stretching**: Not using bcrypt, scrypt, or Argon2
- **Minimum length**: 8 characters (enforced by FluentValidation)

## Hardware Fingerprint Binding

- **Storage**: Raw hardware string stored in `users.hardware` column
- **Comparison**: Hashed with static salt (`"Azaion_{hw}_%$$$)0_"`) via SHA-384
- **First-use binding**: Hardware auto-stored on first resource check; no admin approval step
- **Reset**: Admin can set hardware to null via `PUT /users/hardware/set`

## Resource Encryption

- **Algorithm**: AES-256-CBC with PKCS7 padding
- **Key derivation**: SHA-256 of `"{email}-{password}-{hwHash}-#%@AzaionKey@%#---"`
- **IV**: Randomly generated per encryption, prepended to ciphertext (first 16 bytes)
- **Scope**: Applied at download time; files stored unencrypted on server
- **Buffer size**: 512 KB streaming buffers

## Database Security

- **Connection separation**: Read-only (`azaion_reader`) and admin (`azaion_admin`) DB users
- **Privileges**: Reader has SELECT only; admin has SELECT, INSERT, UPDATE, DELETE
- **Port**: Non-standard port 4312

## Transport Security

- **CORS**: Restricted to `admin.azaion.com` (HTTP + HTTPS)
- **HTTPS enforcement**: Not configured in code (assumed at reverse proxy level)

## Input Validation

- **Framework**: FluentValidation (auto-discovered validators)
- **Validated requests**: RegisterUserRequest, GetResourceRequest, SetHWRequest
- **Not validated**: LoginRequest, SetUserQueueOffsetsRequest, CheckResourceRequest (partial)

## Secrets Management

- **Method**: Environment variables with `ASPNETCORE_` prefix
- **Sensitive values**: DB connection strings (passwords), JWT secret
- **Not in source**: `appsettings.json` omits connection strings and JWT secret

## Known Security Observations

1. SHA-384 without per-user salt is vulnerable to rainbow table attacks
2. `hardware_hash` DB column exists but is unused — application computes hashes at runtime
3. No path traversal protection on `dataFolder` parameter in resource endpoints
4. Test file contains hardcoded DB credentials for a remote server
5. No rate limiting on login endpoint
6. No audit trail for security-relevant operations (logins, role changes, user deletions)
7. No HTTPS enforcement in application code
8. Static encryption key salts are hardcoded in source code