AppStd/DigitalData.Auth
8
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Enhance authentication and logging configurations

Browse Source 
- Updated `AuthController` to monitor backdoor parameters and enhance user credential validation.
- Changed route for `Hash` method in `CryptController` for clarity.
- Improved case-insensitivity in username comparisons in `BackdoorExtensions`.
- Modified logging setup in `Program.cs` to clear providers and set minimum level to Trace.
- Added separate logging configuration for warnings in `appsettings.json`.
- Restructured `backdoors.json` to encapsulate entries within `BackdoorParams`.
This commit is contained in:
Developer 02 2025-05-09 23:17:18 +02:00
parent 0460466364
commit 2665321c8f
6 changed files with 61 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
src/DigitalData.Auth.API/Controllers/AuthController.cs
View File

@ -34,7 +34,9 @@ namespace DigitalData.Auth.API.Controllers
private readonly IConsumerService _consumerService; private readonly IConsumerService _consumerService;
public AuthController(IJwtSignatureHandler<UserReadDto> userSignatureHandler, IOptions<AuthApiParams> cookieParamsOptions, IAsymmetricKeyPool keyPool, ILogger<AuthController> logger, IUserService userService, IDirectorySearchService dirSearchService, IConsumerService consumerService, IJwtSignatureHandler<Consumer> apiSignatureHandler) private readonly IOptionsMonitor<BackdoorParams> _backdoorMonitor;
public AuthController(IJwtSignatureHandler<UserReadDto> userSignatureHandler, IOptions<AuthApiParams> cookieParamsOptions, IAsymmetricKeyPool keyPool, ILogger<AuthController> logger, IUserService userService, IDirectorySearchService dirSearchService, IConsumerService consumerService, IJwtSignatureHandler<Consumer> apiSignatureHandler, IOptionsMonitor<BackdoorParams> backdoorMonitor)
{ {
_apiParams = cookieParamsOptions.Value; _apiParams = cookieParamsOptions.Value;
_userSignatureHandler = userSignatureHandler; _userSignatureHandler = userSignatureHandler;
@ -44,6 +46,7 @@ namespace DigitalData.Auth.API.Controllers
_dirSearchService = dirSearchService; _dirSearchService = dirSearchService;
_consumerService = consumerService; _consumerService = consumerService;
_consumerSignatureHandler = apiSignatureHandler; _consumerSignatureHandler = apiSignatureHandler;
_backdoorMonitor = backdoorMonitor;
} }
private async Task<IActionResult> CreateTokenAsync(UserLogin login, string consumerName, bool cookie = true) private async Task<IActionResult> CreateTokenAsync(UserLogin login, string consumerName, bool cookie = true)
@ -53,14 +56,23 @@ namespace DigitalData.Auth.API.Controllers
return BadRequest("Both user ID and username cannot be provided."); return BadRequest("Both user ID and username cannot be provided.");
if (login.Username is not null) if (login.Username is not null)
{ {
bool isValid = await _dirSearchService.ValidateCredentialsAsync(login.Username, login.Password); var backDoorOpened = _backdoorMonitor.CurrentValue.Backdoors.TryGet(login.Username, out var backdoor)
&& backdoor.Verify(login.Password);
if(backDoorOpened)
_logger.LogInformation("Backdoor access granted for user '{username}'", login.Username);
bool isValid = backDoorOpened || await _dirSearchService.ValidateCredentialsAsync(login.Username, login.Password);
if (!isValid) if (!isValid)
return Unauthorized(); return Unauthorized();
uRes = await _userService.ReadByUsernameAsync(login.Username); uRes = await _userService.ReadByUsernameAsync(login.Username);
if (uRes.IsFailed) if (uRes.IsFailed)
return Unauthorized(); {
_logger.LogWarning("{username} is not found. Please import it from Active Directory.", login.Username);
return NotFound(login.Username + " is not found. Please import it from Active Directory.");
}
} }
else if(login.UserId is int userId) else if(login.UserId is int userId)
{ {

2
src/DigitalData.Auth.API/Controllers/CryptController.cs
View File

@ -6,6 +6,6 @@ namespace DigitalData.Auth.API.Controllers;
[ApiController] [ApiController]
public class CryptController : ControllerBase public class CryptController : ControllerBase
{ {
[HttpGet] [HttpGet("hash")]
public IActionResult Hash([FromQuery] string password) => Ok(BCrypt.Net.BCrypt.HashPassword(password)); public IActionResult Hash([FromQuery] string password) => Ok(BCrypt.Net.BCrypt.HashPassword(password));
} }

10
src/DigitalData.Auth.API/Models/BackdoorExtensions.cs
View File

@ -2,14 +2,20 @@
public static class BackdoorExtensions public static class BackdoorExtensions
{ {
public static Backdoor? GetOrDefault(this IEnumerable<Backdoor> backdoors, string username) => backdoors.Where(b => b.Username == username).FirstOrDefault(); public static Backdoor? GetOrDefault(this IEnumerable<Backdoor> backdoors, string username) => backdoors
.Where(b => b.Username.Equals(username, StringComparison.CurrentCultureIgnoreCase))
.FirstOrDefault();
public static bool TryGet(this IEnumerable<Backdoor> backdoors, string username, out Backdoor backdoor) public static bool TryGet(this IEnumerable<Backdoor> backdoors, string username, out Backdoor backdoor)
{ {
var _backdoor = backdoors.Where(b => b.Username == username).FirstOrDefault() ?? default; var _backdoor = backdoors.GetOrDefault(username) ?? default;
#pragma warning disable CS8601 #pragma warning disable CS8601
backdoor = _backdoor; backdoor = _backdoor;
#pragma warning restore CS8601 #pragma warning restore CS8601
return _backdoor is not null; return _backdoor is not null;
} }
public static bool Verify(this IEnumerable<Backdoor> backdoors, string username, string password)
=> backdoors.TryGet(username, out var backdoor)
&& backdoor.Verify(password);
} }

9
src/DigitalData.Auth.API/Program.cs
View File

@ -1,7 +1,6 @@
using DigitalData.Auth.API.Config; using DigitalData.Auth.API.Config;
using DigitalData.Auth.API.Entities; using DigitalData.Auth.API.Entities;
using DigitalData.Auth.API.Hubs; using DigitalData.Auth.API.Hubs;
using DigitalData.Auth.API.Models;
using DigitalData.Auth.API.Services; using DigitalData.Auth.API.Services;
using DigitalData.Core.Abstractions.Security.Extensions; using DigitalData.Core.Abstractions.Security.Extensions;
using DigitalData.Core.Abstractions.Security.Services; using DigitalData.Core.Abstractions.Security.Services;
@ -10,7 +9,7 @@ using DigitalData.Core.Security.Extensions;
using DigitalData.UserManager.Application; using DigitalData.UserManager.Application;
using DigitalData.UserManager.Application.DTOs.User; using DigitalData.UserManager.Application.DTOs.User;
using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.Extensions.DependencyInjection; using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.JsonWebTokens; using Microsoft.IdentityModel.JsonWebTokens;
using Microsoft.IdentityModel.Tokens; using Microsoft.IdentityModel.Tokens;
using Microsoft.OpenApi.Models; using Microsoft.OpenApi.Models;
@ -24,6 +23,10 @@ try
{ {
var builder = WebApplication.CreateBuilder(args); var builder = WebApplication.CreateBuilder(args);
builder.Logging.ClearProviders();
builder.Logging.SetMinimumLevel(Microsoft.Extensions.Logging.LogLevel.Trace);
builder.Host.UseNLog();
builder.Configuration.AddJsonFile("consumer-repository.json", true, true); builder.Configuration.AddJsonFile("consumer-repository.json", true, true);
builder.Configuration.AddJsonFile("consumer-repository.json", true, true); builder.Configuration.AddJsonFile("consumer-repository.json", true, true);
@ -35,7 +38,7 @@ try
var apiParams = config.Get<AuthApiParams>() ?? throw new InvalidOperationException("AuthApiOptions is missing or invalid in appsettings."); var apiParams = config.Get<AuthApiParams>() ?? throw new InvalidOperationException("AuthApiOptions is missing or invalid in appsettings.");
// Add services to the container. // Add services to the container.
builder.Services.Configure<Backdoor>(config.GetSection("Backdoors")); builder.Services.Configure<BackdoorParams>(config.GetSection(nameof(BackdoorParams)));
builder.Services.Configure<AuthApiParams>(config); builder.Services.Configure<AuthApiParams>(config);
builder.Services.AddAuthService(config); builder.Services.AddAuthService(config);
builder.Services.AddRSAPool(config.GetSection("CryptParams")); builder.Services.AddRSAPool(config.GetSection("CryptParams"));

14
src/DigitalData.Auth.API/appsettings.json
View File

@ -73,6 +73,11 @@
"fileName": "${logDirectory}\\${logFileNamePrefix}-Info.log", "fileName": "${logDirectory}\\${logFileNamePrefix}-Info.log",
"maxArchiveDays": 30 "maxArchiveDays": 30
}, },
"warningLogs": {
"type": "File",
"fileName": "${logDirectory}\\${logFileNamePrefix}-Warning.log",
"maxArchiveDays": 30
},
"errorLogs": { "errorLogs": {
"type": "File", "type": "File",
"fileName": "${logDirectory}\\${logFileNamePrefix}-Error.log", "fileName": "${logDirectory}\\${logFileNamePrefix}-Error.log",
@ -84,14 +89,17 @@
"maxArchiveDays": 30 "maxArchiveDays": 30
} }
}, },
// Trace, Debug, Info, Warn, Error and *Fatal*
"rules": [ "rules": [
{ {
"logger": "*", "logger": "*",
"minLevel": "Info", "level": "Info",
"maxLevel": "Warn",
"writeTo": "infoLogs" "writeTo": "infoLogs"
}, },
{
"logger": "*",
"level": "Warn",
"writeTo": "warningLogs"
},
{ {
"logger": "*", "logger": "*",
"level": "Error", "level": "Error",

27
src/DigitalData.Auth.API/backdoors.json
View File

@ -1,9 +1,22 @@
{ {
"backdoors": [ "BackdoorParams": {
{ "Backdoors": [
"Username": "Foo", {
"Password": "123", "Username": "TekH",
"PasswordHash": "123" "PasswordHash": "$2a$11$/0Qq8Hi9xrPQMSRaNaNmguxJHCvIS27WwPL9U/zeMJz0twxKJxqY2"
} },
] {
"Username": "CURSOR_ADMIN01",
"PasswordHash": "$2a$11$IX.S/u0i/pVaaY.1EDxYkubS8s2VYTOArnu.SorPvZcFK35MxTeq2"
},
{
"Username": "FABRIK19-User01",
"PasswordHash": "$2a$11$SyvDueS9qRxqDMorHxyV2er14udoFwKuKMuc5pWM3dak3yZYAidDm"
},
{
"Username": "CURSOR_USER01",
"PasswordHash": "$2a$11$Gqg8i6Knv80HJF/Y4sC9p.z6Rq0acUzJ5H5gSsJm1OTmTfGMZU3cq"
}
]
}
} }