Harden CSRF/CSP and add hash version upgrades

2026-02-18 20:51:18 +01:00
parent 3c7f3d2114
commit a130cba41a
23 changed files with 627 additions and 57 deletions
--- a/Infrastructure/PasswordHasher.cs
+++ b/Infrastructure/PasswordHasher.cs
@@ -5,31 +5,81 @@ namespace GameList.Infrastructure;

 public static class PasswordHasher
 {
+    public const int LegacyVersion = 1;
+    public const int CurrentVersion = 2;
+
    private const int SaltSize = 16;
    private const int KeySize = 32;
-    private const int Iterations = 210_000;
+    private const int IterationsV1 = 210_000;
+    private const int IterationsV2 = 350_000;

    public static (byte[] Hash, byte[] Salt) HashPassword(string password)
+        => HashPassword(password, CurrentVersion);
+
+    public static (byte[] Hash, byte[] Salt) HashPassword(string password, int version)
    {
        if (string.IsNullOrEmpty(password))
            throw new ArgumentException("Password required", nameof(password));

+        var normalizedVersion = NormalizeHashVersion(version);
        var salt = RandomNumberGenerator.GetBytes(SaltSize);
-        var hash = PBKDF2(password, salt);
+        var hash = PBKDF2(password, salt, normalizedVersion);
        return (hash, salt);
    }

    public static bool Verify(string password, byte[] hash, byte[] salt)
+        => Verify(password, hash, salt, LegacyVersion, out _);
+
+    public static bool Verify(string password, byte[] hash, byte[] salt, int version, out bool needsRehash)
    {
+        needsRehash = false;
        if (hash.Length == 0 || salt.Length == 0)
            return false;

-        var computed = PBKDF2(password, salt);
-        return CryptographicOperations.FixedTimeEquals(computed, hash);
+        var normalizedVersion = NormalizeVerifyVersion(version);
+        if (normalizedVersion == 0)
+            return false;
+
+        var computed = PBKDF2(password, salt, normalizedVersion);
+        var verified = CryptographicOperations.FixedTimeEquals(computed, hash);
+
+        needsRehash = verified && normalizedVersion < CurrentVersion;
+        return verified;
    }

-    private static byte[] PBKDF2(string password, byte[] salt)
+    private static int NormalizeHashVersion(int version)
    {
-        return Rfc2898DeriveBytes.Pbkdf2(Encoding.UTF8.GetBytes(password), salt, Iterations, HashAlgorithmName.SHA256, KeySize);
+        return version switch
+        {
+            <= LegacyVersion => LegacyVersion,
+            CurrentVersion => CurrentVersion,
+            _ => throw new ArgumentOutOfRangeException(nameof(version), "Unsupported password hash version.")
+        };
+    }
+
+    private static int NormalizeVerifyVersion(int version)
+    {
+        return version switch
+        {
+            <= LegacyVersion => LegacyVersion,
+            CurrentVersion => CurrentVersion,
+            _ => 0
+        };
+    }
+
+    private static int ResolveIterations(int version)
+    {
+        return version switch
+        {
+            LegacyVersion => IterationsV1,
+            CurrentVersion => IterationsV2,
+            _ => IterationsV1
+        };
+    }
+
+    private static byte[] PBKDF2(string password, byte[] salt, int version)
+    {
+        var iterations = ResolveIterations(version);
+        return Rfc2898DeriveBytes.Pbkdf2(Encoding.UTF8.GetBytes(password), salt, iterations, HashAlgorithmName.SHA256, KeySize);
    }
 }