mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 15:41:08 +00:00
Oleksandr Bezdieniezhnykh
491993f9c1
AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106). Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384 hashes detected by prefix and lazily re-hashed on next successful login. Verify uses CryptographicOperations.FixedTimeEquals on both formats. AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core RateLimiter, 10/60s default — production-tight) plus DB-backed per-account limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users row. Adds a generic audit_events table with INSERT/SELECT-only grants for the app role so the per-account count is queryable and admins cannot erase their own forensic trail. BusinessExceptionHandler maps AccountLocked to 423 and LoginRateLimited to 429, both with Retry-After. AZ-538 — drop the http://admin.azaion.com origin from CORS, gate UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload). Test infra: Npgsql in the e2e project + a DbHelper for direct DB inspection used by the AZ-536/537 ACs. appsettings.Development.json raises PerIpPermitLimit to 1000 so the suite (~270 logins from one container IP) doesn't false-trip the limiter. Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production). Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low. See _docs/03_implementation/reviews/batch_01_cycle2_review.md. Closes AZ-530 epic batch 1 of 4. Co-authored-by: Cursor <cursoragent@cursor.com>
279 lines
11 KiB
C#
279 lines
11 KiB
C#
using System.Security.Cryptography;
|
|
using Azaion.Common;
|
|
using Azaion.Common.Configs;
|
|
using Azaion.Common.Database;
|
|
using Azaion.Common.Entities;
|
|
using Azaion.Common.Extensions;
|
|
using Azaion.Common.Requests;
|
|
using LinqToDB;
|
|
using Microsoft.Extensions.Options;
|
|
using Npgsql;
|
|
|
|
namespace Azaion.Services;
|
|
|
|
public interface IUserService
|
|
{
|
|
Task RegisterUser(RegisterUserRequest request, CancellationToken ct = default);
|
|
Task<RegisterDeviceResponse> RegisterDevice(CancellationToken ct = default);
|
|
Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default);
|
|
Task<User?> GetByEmail(string? email, CancellationToken ct = default);
|
|
Task UpdateQueueOffsets(string email, UserQueueOffsets queueOffsets, CancellationToken ct = default);
|
|
Task<IEnumerable<User>> GetUsers(string? searchEmail, RoleEnum? searchRole, CancellationToken ct = default);
|
|
Task ChangeRole(string email, RoleEnum newRole, CancellationToken ct = default);
|
|
Task SetEnableStatus(string email, bool isEnabled, CancellationToken ct = default);
|
|
Task RemoveUser(string email, CancellationToken ct = default);
|
|
}
|
|
|
|
public class UserService(
|
|
IDbFactory dbFactory,
|
|
ICache cache,
|
|
IAuditLog auditLog,
|
|
IOptions<AuthConfig> authConfig) : IUserService
|
|
{
|
|
private readonly AuthConfig _auth = authConfig.Value;
|
|
|
|
private const string DeviceEmailPrefix = "azj-";
|
|
private const string DeviceEmailDomain = "@azaion.com";
|
|
private const int SerialNumberStart = 4; // index of NNNN inside "azj-NNNN..." (length of DeviceEmailPrefix)
|
|
private const int SerialNumberLength = 4;
|
|
private const int DevicePasswordBytes = 16; // hex-encoded → 32 chars
|
|
|
|
public async Task RegisterUser(RegisterUserRequest request, CancellationToken ct = default)
|
|
{
|
|
try
|
|
{
|
|
await dbFactory.RunAdmin(async db =>
|
|
{
|
|
await db.InsertAsync(new User
|
|
{
|
|
Id = Guid.NewGuid(),
|
|
Email = request.Email,
|
|
PasswordHash = Security.HashPassword(request.Password),
|
|
Role = request.Role,
|
|
CreatedAt = DateTime.UtcNow,
|
|
IsEnabled = true
|
|
}, token: ct);
|
|
});
|
|
}
|
|
catch (PostgresException ex) when (ex.SqlState == PostgresErrorCodes.UniqueViolation)
|
|
{
|
|
throw new BusinessException(ExceptionEnum.EmailExists);
|
|
}
|
|
}
|
|
|
|
public async Task<RegisterDeviceResponse> RegisterDevice(CancellationToken ct = default)
|
|
{
|
|
var (serial, email) = await NextDeviceIdentity(ct);
|
|
var password = Convert.ToHexString(RandomNumberGenerator.GetBytes(DevicePasswordBytes)).ToLowerInvariant();
|
|
|
|
await RegisterUser(new RegisterUserRequest
|
|
{
|
|
Email = email,
|
|
Password = password,
|
|
Role = RoleEnum.CompanionPC
|
|
}, ct);
|
|
|
|
return new RegisterDeviceResponse
|
|
{
|
|
Serial = serial,
|
|
Email = email,
|
|
Password = password
|
|
};
|
|
}
|
|
|
|
private async Task<(string Serial, string Email)> NextDeviceIdentity(CancellationToken ct) =>
|
|
await dbFactory.Run(async db =>
|
|
{
|
|
var lastEmail = await db.Users
|
|
.Where(u => u.Role == RoleEnum.CompanionPC)
|
|
.OrderByDescending(u => u.CreatedAt)
|
|
.Select(u => u.Email)
|
|
.FirstOrDefaultAsync(token: ct);
|
|
|
|
var nextNumber = 0;
|
|
if (!string.IsNullOrEmpty(lastEmail) && lastEmail.Length >= SerialNumberStart + SerialNumberLength)
|
|
{
|
|
var serialPart = lastEmail.Substring(SerialNumberStart, SerialNumberLength);
|
|
if (int.TryParse(serialPart, out var current))
|
|
nextNumber = current + 1;
|
|
}
|
|
|
|
var serial = $"{DeviceEmailPrefix}{nextNumber.ToString($"D{SerialNumberLength}")}";
|
|
var email = $"{serial}{DeviceEmailDomain}";
|
|
return (serial, email);
|
|
});
|
|
|
|
public async Task<User?> GetByEmail(string? email, CancellationToken ct = default)
|
|
{
|
|
if (string.IsNullOrWhiteSpace(email)) throw new ArgumentNullException(nameof(email));
|
|
|
|
return await cache.GetFromCacheAsync(User.GetCacheKey(email),
|
|
async () => await dbFactory.Run(async db =>
|
|
await db.Users.FirstOrDefaultAsync(x => x.Email == email, ct)));
|
|
}
|
|
|
|
|
|
public async Task<User> ValidateUser(LoginRequest request, CancellationToken ct = default)
|
|
{
|
|
var user = await dbFactory.Run(async db =>
|
|
await db.Users.FirstOrDefaultAsync(x => x.Email == request.Email, token: ct));
|
|
|
|
if (user == null)
|
|
throw new BusinessException(ExceptionEnum.NoEmailFound);
|
|
|
|
// AZ-537 AC-3 — active lockout takes precedence over the password check; even
|
|
// a correct password is rejected with 423 Locked until the lockout expires.
|
|
if (user.LockoutUntil is { } until && until > DateTime.UtcNow)
|
|
{
|
|
var remaining = (int)Math.Ceiling((until - DateTime.UtcNow).TotalSeconds);
|
|
throw new BusinessException(ExceptionEnum.AccountLocked, Math.Max(remaining, 1));
|
|
}
|
|
|
|
// AZ-537 AC-2 — per-account sliding-window rate limit. Counts only failed
|
|
// logins in the recent window so legitimate retries after success aren't punished.
|
|
var recentFailures = await auditLog.CountRecentFailedLogins(
|
|
user.Email, _auth.RateLimit.PerAccountWindowSeconds, ct);
|
|
if (recentFailures >= _auth.RateLimit.PerAccountPermitLimit)
|
|
throw new BusinessException(ExceptionEnum.LoginRateLimited, _auth.RateLimit.PerAccountWindowSeconds);
|
|
|
|
var verify = Security.VerifyPassword(request.Password, user.PasswordHash);
|
|
if (!verify.Valid)
|
|
{
|
|
await RegisterFailedLogin(user, ct);
|
|
throw new BusinessException(ExceptionEnum.WrongPassword);
|
|
}
|
|
|
|
if (!user.IsEnabled)
|
|
throw new BusinessException(ExceptionEnum.UserDisabled);
|
|
|
|
await RegisterSuccessfulLogin(user, request.Password, verify.NeedsRehash, ct);
|
|
return user;
|
|
}
|
|
|
|
// Lazy migration of legacy SHA-384 hashes (and future Argon2 param upgrades).
|
|
// Conditional on the original hash to avoid clobbering a concurrent rehash from
|
|
// a parallel login of the same account.
|
|
private async Task RegisterSuccessfulLogin(User user, string plaintext, bool rehash, CancellationToken ct)
|
|
{
|
|
var newHash = rehash ? Security.HashPassword(plaintext) : null;
|
|
var oldHash = user.PasswordHash;
|
|
|
|
await dbFactory.RunAdmin(async db =>
|
|
{
|
|
if (newHash != null)
|
|
{
|
|
await db.Users.UpdateAsync(
|
|
u => u.Id == user.Id && u.PasswordHash == oldHash,
|
|
u => new User
|
|
{
|
|
PasswordHash = newHash,
|
|
FailedLoginCount = 0,
|
|
LockoutUntil = null
|
|
},
|
|
token: ct);
|
|
}
|
|
else
|
|
{
|
|
await db.Users.UpdateAsync(
|
|
u => u.Id == user.Id,
|
|
u => new User
|
|
{
|
|
FailedLoginCount = 0,
|
|
LockoutUntil = null
|
|
},
|
|
token: ct);
|
|
}
|
|
});
|
|
|
|
if (newHash != null)
|
|
user.PasswordHash = newHash;
|
|
user.FailedLoginCount = 0;
|
|
user.LockoutUntil = null;
|
|
cache.Invalidate(User.GetCacheKey(user.Email));
|
|
|
|
await auditLog.RecordLoginSuccess(user.Email, ct);
|
|
}
|
|
|
|
private async Task RegisterFailedLogin(User user, CancellationToken ct)
|
|
{
|
|
await auditLog.RecordLoginFailed(user.Email, ct);
|
|
|
|
var newCount = user.FailedLoginCount + 1;
|
|
var triggersLock = newCount >= _auth.Lockout.MaxAttempts;
|
|
DateTime? newLockoutUntil = triggersLock
|
|
? DateTime.UtcNow.AddSeconds(_auth.Lockout.DurationSeconds)
|
|
: user.LockoutUntil;
|
|
|
|
await dbFactory.RunAdmin(async db =>
|
|
await db.Users.UpdateAsync(
|
|
u => u.Id == user.Id,
|
|
u => new User
|
|
{
|
|
FailedLoginCount = newCount,
|
|
LockoutUntil = newLockoutUntil
|
|
},
|
|
token: ct));
|
|
|
|
cache.Invalidate(User.GetCacheKey(user.Email));
|
|
|
|
if (triggersLock)
|
|
{
|
|
await auditLog.RecordLoginLockout(user.Email, ct);
|
|
// Promote a wrong-password into a lockout response so the caller learns the
|
|
// account is locked the moment the threshold is crossed.
|
|
throw new BusinessException(ExceptionEnum.AccountLocked, _auth.Lockout.DurationSeconds);
|
|
}
|
|
}
|
|
|
|
public async Task UpdateQueueOffsets(string email, UserQueueOffsets queueOffsets, CancellationToken ct = default)
|
|
{
|
|
await dbFactory.RunAdmin(async db =>
|
|
{
|
|
var userConfig = await db.Users.Where(x => x.Email == email).Select(x => x.UserConfig).FirstOrDefaultAsync(token: ct);
|
|
userConfig ??= new UserConfig();
|
|
userConfig.QueueOffsets = queueOffsets;
|
|
|
|
await db.Users.UpdateAsync(x => x.Email == email,
|
|
u => new User
|
|
{
|
|
UserConfig = userConfig
|
|
}, token: ct);
|
|
});
|
|
cache.Invalidate(User.GetCacheKey(email));
|
|
}
|
|
|
|
public async Task<IEnumerable<User>> GetUsers(string? searchEmail, RoleEnum? searchRole, CancellationToken ct) =>
|
|
await dbFactory.Run(async db =>
|
|
await db.Users
|
|
.WhereIf(!string.IsNullOrEmpty(searchEmail),
|
|
u => u.Email.ToLower().Contains(searchEmail!.ToLower()))
|
|
.WhereIf(searchRole != null,
|
|
u => u.Role == searchRole)
|
|
.ToListAsync(token: ct));
|
|
|
|
public async Task ChangeRole(string email, RoleEnum newRole, CancellationToken ct = default)
|
|
{
|
|
await dbFactory.RunAdmin(async db =>
|
|
await db.Users.UpdateAsync(x => x.Email == email, u => new User
|
|
{
|
|
Role = newRole
|
|
}, ct));
|
|
}
|
|
|
|
public async Task SetEnableStatus(string email, bool isEnabled, CancellationToken ct = default)
|
|
{
|
|
await dbFactory.RunAdmin(async db =>
|
|
await db.Users.UpdateAsync(x => x.Email == email, u => new User
|
|
{
|
|
IsEnabled = isEnabled
|
|
}, ct));
|
|
}
|
|
|
|
|
|
public async Task RemoveUser(string email, CancellationToken ct = default)
|
|
{
|
|
await dbFactory.RunAdmin(async db =>
|
|
await db.Users.DeleteAsync(x => x.Email == email, ct));
|
|
}
|
|
}
|