xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CSRF/CSP and add hash version upgrades

Browse Source
This commit is contained in:
Frank Tovar
2026-02-18 20:51:18 +01:00
parent 3c7f3d2114
commit a130cba41a
23 changed files with 627 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
Endpoints/AdminWorkflowService.cs
View File

@@ -262,18 +262,27 @@ internal sealed class AdminWorkflowService(AppDbContext db)
if (string.IsNullOrWhiteSpace(password))
return ServiceError.BadRequest("Admin password is required.");
var admin = await db.Players.AsNoTracking().FirstOrDefaultAsync(p => p.Id == adminPlayerId && p.IsAdmin);
var admin = await db.Players.FirstOrDefaultAsync(p => p.Id == adminPlayerId && p.IsAdmin);
if (admin is null)
return ServiceError.Unauthorized();
var monitor = ctx.RequestServices.GetRequiredService<AuthAttemptMonitor>();
var verified = PasswordHasher.Verify(password, admin.PasswordHash, admin.PasswordSalt);
var verified = PasswordHasher.Verify(password, admin.PasswordHash, admin.PasswordSalt, admin.PasswordHashVersion, out var needsRehash);
if (!verified)
{
monitor.RecordFailure(ctx, "admin-password", admin.NormalizedUsername, "invalid-password");
return ServiceError.BadRequest("Invalid admin password.");
}
if (needsRehash)
{
var (upgradedHash, upgradedSalt) = PasswordHasher.HashPassword(password);
admin.PasswordHash = upgradedHash;
admin.PasswordSalt = upgradedSalt;
admin.PasswordHashVersion = PasswordHasher.CurrentVersion;
await db.SaveChangesAsync();
}
monitor.RecordSuccess(ctx, "admin-password", admin.NormalizedUsername);
return null;
}

12
Endpoints/AuthEndpoints.cs
View File

@@ -60,6 +60,7 @@ public static class AuthEndpoints
NormalizedUsername = validated.NormalizedUsername,
PasswordHash = hash,
PasswordSalt = salt,
PasswordHashVersion = PasswordHasher.CurrentVersion,
DisplayName = validated.DisplayName,
IsAdmin = isAdmin,
IsOwner = isOwner,
@@ -104,12 +105,21 @@ public static class AuthEndpoints
}
var player = await db.Players.FirstOrDefaultAsync(p => p.NormalizedUsername == normalizedUsername);
if (player == null || !PasswordHasher.Verify(request.Password ?? string.Empty, player.PasswordHash, player.PasswordSalt))
if (player == null
|| !PasswordHasher.Verify(request.Password ?? string.Empty, player.PasswordHash, player.PasswordSalt, player.PasswordHashVersion, out var needsRehash))
{
authAttemptMonitor.RecordFailure(ctx, "auth-login", normalizedUsername, "invalid-credentials");
return EndpointHelpers.UnauthorizedError("Invalid username or password.");
}
if (needsRehash)
{
var (upgradedHash, upgradedSalt) = PasswordHasher.HashPassword(request.Password ?? string.Empty);
player.PasswordHash = upgradedHash;
player.PasswordSalt = upgradedSalt;
player.PasswordHashVersion = PasswordHasher.CurrentVersion;
}
if (string.IsNullOrWhiteSpace(player.DisplayName))
{
player.DisplayName = EndpointHelpers.TrimTo(player.Username, AuthValidator.MaxDisplayNameLength);