azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-04-22 22:06:33 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
dev
admin/_docs/00_problem/security_approach.md
T
Oleksandr Bezdieniezhnykh d320d6dd59 [AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite 
Made-with: Cursor
2026-04-16 06:25:36 +03:00

3.2 KiB
Raw Permalink Blame History

Security Approach

Authentication

  • Mechanism: JWT Bearer tokens
  • Signing: HMAC-SHA256 with symmetric key from JwtConfig.Secret
  • Validation: Issuer, Audience, Lifetime, Signing Key — all validated by ASP.NET Core middleware
  • Token lifetime: 4 hours (configurable via JwtConfig.TokenLifetimeHours)
  • Token claims: UserID (NameIdentifier), Email (Name), Role (Role)

Authorization

  • Model: Role-based access control (RBAC)
  • Policies:
    • apiAdminPolicy — requires ApiAdmin role (used on user CRUD + folder clear endpoints)
    • apiUploaderPolicy — requires ResourceUploader or ApiAdmin (defined but never applied — dead code)
    • General [Authorize] — any authenticated user (used on resource endpoints, queue offsets)

Password Security

  • Hashing: SHA-384 (Security.ToHash), Base64-encoded
  • No per-user salt: All passwords use the same hash function without individual salts
  • No key stretching: Not using bcrypt, scrypt, or Argon2
  • Minimum length: 8 characters (enforced by FluentValidation)

Hardware Fingerprint Binding

  • Storage: Raw hardware string stored in users.hardware column
  • Comparison: Hashed with static salt ("Azaion_{hw}_%$$$)0_") via SHA-384
  • First-use binding: Hardware auto-stored on first resource check; no admin approval step
  • Reset: Admin can set hardware to null via PUT /users/hardware/set

Resource Encryption

  • Algorithm: AES-256-CBC with PKCS7 padding
  • Key derivation: SHA-256 of "{email}-{password}-{hwHash}-#%@AzaionKey@%#---"
  • IV: Randomly generated per encryption, prepended to ciphertext (first 16 bytes)
  • Scope: Applied at download time; files stored unencrypted on server
  • Buffer size: 512 KB streaming buffers

Database Security

  • Connection separation: Read-only (azaion_reader) and admin (azaion_admin) DB users
  • Privileges: Reader has SELECT only; admin has SELECT, INSERT, UPDATE, DELETE
  • Port: Non-standard port 4312

Transport Security

  • CORS: Restricted to admin.azaion.com (HTTP + HTTPS)
  • HTTPS enforcement: Not configured in code (assumed at reverse proxy level)

Input Validation

  • Framework: FluentValidation (auto-discovered validators)
  • Validated requests: RegisterUserRequest, GetResourceRequest, SetHWRequest
  • Not validated: LoginRequest, SetUserQueueOffsetsRequest, CheckResourceRequest (partial)

Secrets Management

  • Method: Environment variables with ASPNETCORE_ prefix
  • Sensitive values: DB connection strings (passwords), JWT secret
  • Not in source: appsettings.json omits connection strings and JWT secret

Known Security Observations

  1. SHA-384 without per-user salt is vulnerable to rainbow table attacks
  2. hardware_hash DB column exists but is unused — application computes hashes at runtime
  3. No path traversal protection on dataFolder parameter in resource endpoints
  4. Test file contains hardcoded DB credentials for a remote server
  5. No rate limiting on login endpoint
  6. No audit trail for security-relevant operations (logins, role changes, user deletions)
  7. No HTTPS enforcement in application code
  8. Static encryption key salts are hardcoded in source code
Reference in New Issue View Git Blame Copy Permalink