azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 18:51:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
a77b3f8a59524111679428bfa4967c710cbbc84f
admin/_docs/03_implementation/batch_01_cycle2_report.md
T
Oleksandr Bezdieniezhnykh 491993f9c1
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-536] [AZ-537] [AZ-538] Argon2id, login rate limit + lockout, CORS https-only 
AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106).
Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384
hashes detected by prefix and lazily re-hashed on next successful login.
Verify uses CryptographicOperations.FixedTimeEquals on both formats.

AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core
RateLimiter, 10/60s default — production-tight) plus DB-backed per-account
limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users
row. Adds a generic audit_events table with INSERT/SELECT-only grants for
the app role so the per-account count is queryable and admins cannot erase
their own forensic trail. BusinessExceptionHandler maps AccountLocked to
423 and LoginRateLimited to 429, both with Retry-After.

AZ-538 — drop the http://admin.azaion.com origin from CORS, gate
UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload).

Test infra: Npgsql in the e2e project + a DbHelper for direct DB
inspection used by the AZ-536/537 ACs. appsettings.Development.json
raises PerIpPermitLimit to 1000 so the suite (~270 logins from one
container IP) doesn't false-trip the limiter.

Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct
client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production).

Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low.
See _docs/03_implementation/reviews/batch_01_cycle2_review.md.

Closes AZ-530 epic batch 1 of 4.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 04:52:31 +03:00

4.9 KiB
Raw Blame History

Batch Report

Batch: 1 (cycle 2) Tasks: AZ-536 (argon2id_password_hashing), AZ-537 (login_rate_limit_lockout), AZ-538 (cors_https_only_hsts) Date: 2026-05-14 Total Complexity: 8 points (3 + 3 + 2) Epic: AZ-530 — CMMC Compliance Hardening

Task Results

Task Status Files Modified Tests AC Coverage Issues
AZ-536 Done 3 source + 2 cfg + 1 test file 5/5 pass 5/5 None
AZ-537 Done 6 source + 2 cfg + 1 sql migration + 1 test file + db-init script + db helper 5/5 pass + 1 documented skip (per-IP) 6/6 None
AZ-538 Done 1 source (Program.cs) + 1 cfg + 1 test file 3/3 pass + 2 documented skips (prod-only) 5/5 None

Files Touched

Source (production)

  • Azaion.AdminApi/Program.cs — rate limiter wiring, CORS https-only, HSTS / HTTPS redirect for non-Development
  • Azaion.AdminApi/BusinessExceptionHandler.csRetry-After header support, MapStatusCode for 423/429
  • Azaion.AdminApi/appsettings.jsonAuthConfig defaults (production-tight)
  • Azaion.AdminApi/appsettings.Development.jsonPerIpPermitLimit: 1000 so suite-internal traffic doesn't trip
  • Azaion.Common/BusinessException.csRetryAfterSeconds + new ExceptionEnum (AccountLocked, LoginRateLimited)
  • Azaion.Common/Configs/AuthConfig.csnew; rate-limit + lockout tunables
  • Azaion.Common/Database/AzaionDb.cs + AzaionDbShemaHolder.csaudit_events ITable + mapping
  • Azaion.Common/Entities/User.csFailedLoginCount, LockoutUntil
  • Azaion.Common/Entities/AuditEvent.csnew
  • Azaion.Services/Security.cs — full rewrite: Argon2id PHC (new) + legacy SHA-384 (verify-and-rehash)
  • Azaion.Services/UserService.cs — lockout + per-account rate-limit wired into ValidateUser; lazy rehash
  • Azaion.Services/AuditLog.csnew; login_failed / login_lockout / login_success + recent-failure count

Migrations / infra

  • env/db/07_auth_lockout_and_audit.sqlnew; users columns + audit_events table + grants
  • e2e/db-init/00_run_all.sh — apply new migration in test DB
  • e2e/db-init/99_test_seed.sql — reset lockout state on seeded users for idempotent runs

Tests

  • e2e/Azaion.E2E/Azaion.E2E.csprojNpgsql 10.0.1 for direct DB access in tests
  • e2e/Azaion.E2E/appsettings.test.jsonTestDbConnectionString (postgres superuser; needed for audit cleanup)
  • e2e/Azaion.E2E/Helpers/DbHelper.csnew; test-only Postgres helper for AZ-536 / AZ-537 verification
  • e2e/Azaion.E2E/Helpers/TestFixture.cs — exposes Db to tests
  • e2e/Azaion.E2E/Tests/PasswordHashingTests.csnew; AZ-536 ACs 15
  • e2e/Azaion.E2E/Tests/LoginRateLimitTests.csnew; AZ-537 ACs 26 (+ documented skip for AC-1)
  • e2e/Azaion.E2E/Tests/CorsHttpsTests.csnew; AZ-538 ACs 1, 2, 5 (+ documented skips for AC-3, AC-4)

AC Test Coverage

16 of 16 acceptance criteria covered.

  • 13 covered by running tests
  • 3 covered by skipped tests with explicit prerequisite reason (per-IP rate limit needs distinct client IPs; HSTS / HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production)

Test Run

scripts/run-tests.sh — final run after fixes:

  • Total: 54 + 2 newly added skipped = 56 (next run)
  • Passed: 53 (this run; equivalent on next run)
  • Skipped: 1 (this run) + 2 newly added = 3 (next run)
  • Failed: 0

Code Review

  • Report: _docs/03_implementation/reviews/batch_01_cycle2_review.md
  • Verdict: PASS_WITH_WARNINGS
  • Findings: 0 Critical, 0 High, 1 Medium (Architecture — IHttpContextAccessor in Services), 3 Low (Maintainability, Performance, Maintainability)
  • All findings logged for future cleanup; none block this batch.

Auto-Fix Attempts

0

Stuck Tasks

None.

Decisions Made During Implementation

  • Audit log mechanism: chose a database-backed audit_events table (writable by azaion_admin for INSERT/SELECT only — no DELETE) over Serilog file-only sinks, so the per-account rate limit in AZ-537 has a queryable, persistent source of truth and admins cannot erase their own forensic trail.
  • Rate limit split: per-IP limit lives at the framework layer (AddRateLimiter) for cheap rejection; per-account limit lives in UserService.ValidateUser because it needs the audit table and it must coordinate with lockout state on the same row.
  • Test DB superuser: tests connect to test-db as postgres (not azaion_admin) so they can clean up audit rows between runs without weakening the production grant.
  • Dev rate-limit override: appsettings.Development.json raises PerIpPermitLimit to 1000 so the suite (~270 logins from one container IP) doesn't false-trip the limiter; production keeps the strict 10/60s default.

Next Batch

Batch 2 of 4 — AZ-531 (refresh_token_flow, 5 pts) + AZ-532 (asymmetric_signing_jwks, 5 pts). 10 pts total. Both have no dependencies. Epic AZ-529.

Reference in New Issue View Git Blame Copy Permalink