xTr1m/GameList
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden CSRF/CSP and add hash version upgrades

Browse Source
This commit is contained in:
Frank Tovar
2026-02-18 20:51:18 +01:00
parent 3c7f3d2114
commit a130cba41a
23 changed files with 627 additions and 57 deletions
Download Patch File Download Diff File Expand all files Collapse all files

105
Infrastructure/CsrfProtectionMiddleware.cs Normal file
View File

@@ -0,0 +1,105 @@
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
namespace GameList.Infrastructure;
public sealed class CsrfProtectionMiddleware(RequestDelegate next)
{
public async Task InvokeAsync(HttpContext context)
{
if (!ShouldValidate(context))
{
await next(context);
return;
}
if (IsSameOriginRequest(context))
{
await next(context);
return;
}
await WriteCsrfFailureAsync(context);
}
private static bool ShouldValidate(HttpContext context)
{
if (!context.Request.Path.StartsWithSegments("/api", StringComparison.OrdinalIgnoreCase))
return false;
if (!HttpMethods.IsPost(context.Request.Method)
&& !HttpMethods.IsPut(context.Request.Method)
&& !HttpMethods.IsDelete(context.Request.Method)
&& !HttpMethods.IsPatch(context.Request.Method))
return false;
return context.User.Identity?.IsAuthenticated == true;
}
private static bool IsSameOriginRequest(HttpContext context)
{
var originValues = context.Request.Headers.Origin;
if (!StringValues.IsNullOrEmpty(originValues))
{
foreach (var origin in originValues)
{
if (string.IsNullOrWhiteSpace(origin))
return false;
if (!IsSameOrigin(origin, context))
return false;
}
return true;
}
var referer = context.Request.Headers.Referer.ToString();
if (string.IsNullOrWhiteSpace(referer))
return false;
return IsSameOrigin(referer, context);
}
private static bool IsSameOrigin(string raw, HttpContext context)
{
if (!Uri.TryCreate(raw, UriKind.Absolute, out var uri))
return false;
var requestScheme = context.Request.Scheme;
if (!string.Equals(uri.Scheme, requestScheme, StringComparison.OrdinalIgnoreCase))
return false;
var requestHost = context.Request.Host.Host;
if (!string.Equals(uri.Host, requestHost, StringComparison.OrdinalIgnoreCase))
return false;
var uriPort = uri.IsDefaultPort ? GetDefaultPort(uri.Scheme) : uri.Port;
var requestPort = context.Request.Host.Port ?? GetDefaultPort(requestScheme);
return uriPort == requestPort;
}
private static int GetDefaultPort(string scheme)
{
return string.Equals(scheme, "https", StringComparison.OrdinalIgnoreCase) ? 443 : 80;
}
private static Task WriteCsrfFailureAsync(HttpContext context)
{
if (context.Response.HasStarted)
return Task.CompletedTask;
context.Response.StatusCode = StatusCodes.Status400BadRequest;
context.Response.ContentType = "application/problem+json";
var problem = new ProblemDetails
{
Status = StatusCodes.Status400BadRequest,
Title = "Bad Request",
Detail = "CSRF validation failed.",
Extensions = { ["error"] = "CSRF validation failed." }
};
return context.Response.WriteAsJsonAsync(problem);
}
}

62
Infrastructure/PasswordHasher.cs
View File

@@ -5,31 +5,81 @@ namespace GameList.Infrastructure;
public static class PasswordHasher
{
public const int LegacyVersion = 1;
public const int CurrentVersion = 2;
private const int SaltSize = 16;
private const int KeySize = 32;
private const int Iterations = 210_000;
private const int IterationsV1 = 210_000;
private const int IterationsV2 = 350_000;
public static (byte[] Hash, byte[] Salt) HashPassword(string password)
=> HashPassword(password, CurrentVersion);
public static (byte[] Hash, byte[] Salt) HashPassword(string password, int version)
{
if (string.IsNullOrEmpty(password))
throw new ArgumentException("Password required", nameof(password));
var normalizedVersion = NormalizeHashVersion(version);
var salt = RandomNumberGenerator.GetBytes(SaltSize);
var hash = PBKDF2(password, salt);
var hash = PBKDF2(password, salt, normalizedVersion);
return (hash, salt);
}
public static bool Verify(string password, byte[] hash, byte[] salt)
=> Verify(password, hash, salt, LegacyVersion, out _);
public static bool Verify(string password, byte[] hash, byte[] salt, int version, out bool needsRehash)
{
needsRehash = false;
if (hash.Length == 0 || salt.Length == 0)
return false;
var computed = PBKDF2(password, salt);
return CryptographicOperations.FixedTimeEquals(computed, hash);
var normalizedVersion = NormalizeVerifyVersion(version);
if (normalizedVersion == 0)
return false;
var computed = PBKDF2(password, salt, normalizedVersion);
var verified = CryptographicOperations.FixedTimeEquals(computed, hash);
needsRehash = verified && normalizedVersion < CurrentVersion;
return verified;
}
private static byte[] PBKDF2(string password, byte[] salt)
private static int NormalizeHashVersion(int version)
{
return Rfc2898DeriveBytes.Pbkdf2(Encoding.UTF8.GetBytes(password), salt, Iterations, HashAlgorithmName.SHA256, KeySize);
return version switch
{
<= LegacyVersion => LegacyVersion,
CurrentVersion => CurrentVersion,
_ => throw new ArgumentOutOfRangeException(nameof(version), "Unsupported password hash version.")
};
}
private static int NormalizeVerifyVersion(int version)
{
return version switch
{
<= LegacyVersion => LegacyVersion,
CurrentVersion => CurrentVersion,
_ => 0
};
}
private static int ResolveIterations(int version)
{
return version switch
{
LegacyVersion => IterationsV1,
CurrentVersion => IterationsV2,
_ => IterationsV1
};
}
private static byte[] PBKDF2(string password, byte[] salt, int version)
{
var iterations = ResolveIterations(version);
return Rfc2898DeriveBytes.Pbkdf2(Encoding.UTF8.GetBytes(password), salt, iterations, HashAlgorithmName.SHA256, KeySize);
}
}