xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CSRF/CSP and add hash version upgrades

Browse Source
This commit is contained in:
Frank Tovar
2026-02-18 20:51:18 +01:00
parent 3c7f3d2114
commit a130cba41a
23 changed files with 627 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
Endpoints/AdminWorkflowService.cs
View File

@@ -262,18 +262,27 @@ internal sealed class AdminWorkflowService(AppDbContext db)
if (string.IsNullOrWhiteSpace(password))
return ServiceError.BadRequest("Admin password is required.");
var admin = await db.Players.AsNoTracking().FirstOrDefaultAsync(p => p.Id == adminPlayerId && p.IsAdmin);
var admin = await db.Players.FirstOrDefaultAsync(p => p.Id == adminPlayerId && p.IsAdmin);
if (admin is null)
return ServiceError.Unauthorized();
var monitor = ctx.RequestServices.GetRequiredService<AuthAttemptMonitor>();
var verified = PasswordHasher.Verify(password, admin.PasswordHash, admin.PasswordSalt);
var verified = PasswordHasher.Verify(password, admin.PasswordHash, admin.PasswordSalt, admin.PasswordHashVersion, out var needsRehash);
if (!verified)
{
monitor.RecordFailure(ctx, "admin-password", admin.NormalizedUsername, "invalid-password");
return ServiceError.BadRequest("Invalid admin password.");
}
if (needsRehash)
{
var (upgradedHash, upgradedSalt) = PasswordHasher.HashPassword(password);
admin.PasswordHash = upgradedHash;
admin.PasswordSalt = upgradedSalt;
admin.PasswordHashVersion = PasswordHasher.CurrentVersion;
await db.SaveChangesAsync();
}
monitor.RecordSuccess(ctx, "admin-password", admin.NormalizedUsername);
return null;
}