azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-04-22 08:46:34 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
d320d6dd598cedf4b6cebd9809b8b9d407784d62
admin/_docs/00_problem/security_approach.md
T
Oleksandr Bezdieniezhnykh d320d6dd59 [AZ-189] [AZ-190] [AZ-191] [AZ-192] [AZ-193] [AZ-194] [AZ-195] Add e2e blackbox test suite 
Made-with: Cursor
2026-04-16 06:25:36 +03:00

74 lines
3.2 KiB
Markdown
Raw Blame History

# Security Approach
## Authentication
- **Mechanism**: JWT Bearer tokens
- **Signing**: HMAC-SHA256 with symmetric key from `JwtConfig.Secret`
- **Validation**: Issuer, Audience, Lifetime, Signing Key — all validated by ASP.NET Core middleware
- **Token lifetime**: 4 hours (configurable via `JwtConfig.TokenLifetimeHours`)
- **Token claims**: UserID (`NameIdentifier`), Email (`Name`), Role (`Role`)
## Authorization
- **Model**: Role-based access control (RBAC)
- **Policies**:
- `apiAdminPolicy` — requires `ApiAdmin` role (used on user CRUD + folder clear endpoints)
- `apiUploaderPolicy` — requires `ResourceUploader` or `ApiAdmin` (defined but never applied — dead code)
- General `[Authorize]` — any authenticated user (used on resource endpoints, queue offsets)
## Password Security
- **Hashing**: SHA-384 (`Security.ToHash`), Base64-encoded
- **No per-user salt**: All passwords use the same hash function without individual salts
- **No key stretching**: Not using bcrypt, scrypt, or Argon2
- **Minimum length**: 8 characters (enforced by FluentValidation)
## Hardware Fingerprint Binding
- **Storage**: Raw hardware string stored in `users.hardware` column
- **Comparison**: Hashed with static salt (`"Azaion_{hw}_%$$$)0_"`) via SHA-384
- **First-use binding**: Hardware auto-stored on first resource check; no admin approval step
- **Reset**: Admin can set hardware to null via `PUT /users/hardware/set`
## Resource Encryption
- **Algorithm**: AES-256-CBC with PKCS7 padding
- **Key derivation**: SHA-256 of `"{email}-{password}-{hwHash}-#%@AzaionKey@%#---"`
- **IV**: Randomly generated per encryption, prepended to ciphertext (first 16 bytes)
- **Scope**: Applied at download time; files stored unencrypted on server
- **Buffer size**: 512 KB streaming buffers
## Database Security
- **Connection separation**: Read-only (`azaion_reader`) and admin (`azaion_admin`) DB users
- **Privileges**: Reader has SELECT only; admin has SELECT, INSERT, UPDATE, DELETE
- **Port**: Non-standard port 4312
## Transport Security
- **CORS**: Restricted to `admin.azaion.com` (HTTP + HTTPS)
- **HTTPS enforcement**: Not configured in code (assumed at reverse proxy level)
## Input Validation
- **Framework**: FluentValidation (auto-discovered validators)
- **Validated requests**: RegisterUserRequest, GetResourceRequest, SetHWRequest
- **Not validated**: LoginRequest, SetUserQueueOffsetsRequest, CheckResourceRequest (partial)
## Secrets Management
- **Method**: Environment variables with `ASPNETCORE_` prefix
- **Sensitive values**: DB connection strings (passwords), JWT secret
- **Not in source**: `appsettings.json` omits connection strings and JWT secret
## Known Security Observations
1. SHA-384 without per-user salt is vulnerable to rainbow table attacks
2. `hardware_hash` DB column exists but is unused — application computes hashes at runtime
3. No path traversal protection on `dataFolder` parameter in resource endpoints
4. Test file contains hardcoded DB credentials for a remote server
5. No rate limiting on login endpoint
6. No audit trail for security-relevant operations (logins, role changes, user deletions)
7. No HTTPS enforcement in application code
8. Static encryption key salts are hardcoded in source code
Reference in New Issue View Git Blame Copy Permalink