admin/raven
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Browse Source
This commit is contained in:
John Cardinal
2019-01-18 18:39:24 +00:00
parent 43363e787c
commit 2b729a633f
4 changed files with 15 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
devdocs/todo.txt
View File

@@ -16,39 +16,16 @@ SERVER
- DO ALL THE THINGS!!!! - all the way down to DOCS MANUAL below which isn't urgent and go back to client stuff - DO ALL THE THINGS!!!! - all the way down to DOCS MANUAL below which isn't urgent and go back to client stuff
- WTF is this shit when logging is set to normal:
- LOOK INTO JWT issues?? 2019-01-16 16:13:03.4808|WARN|Microsoft.EntityFrameworkCore.Query|Query: '(from Widget <generated>_4 in DbSet<Widget> select [<generated>_4]).Skip(__p_1).Take(__p_2)' uses a row limiting operation (Skip/Take) without OrderBy which may lead to unpredictable results.
- potentially lots of issues, look into it as using them kind of mindlessly right now. 2019-01-16 16:13:03.6455|WARN|Microsoft.EntityFrameworkCore.Query|Query: '(from Widget <generated>_4 in DbSet<Widget> select [<generated>_4]).Skip(__p_1).Take(__p_2)' uses a row limiting operation (Skip/Take) without OrderBy which may lead to unpredictable results.
It could be simply that people are attempting to do other things I am not but to be safe read the criticism and see if any of it applies:
http://cryto.net/~joepie91/blog/2016/06/13/stop-using-jwt-for-sessions/
https://stackoverflow.com/questions/27301557/if-you-can-decode-jwt-how-are-they-secure/27301616#27301616
https://news.ycombinator.com/item?id=14292223
https://news.ycombinator.com/item?id=18804875
- Add tests to ensure security of JWT
- https://assets.pentesterlab.com/jwt_security_cheatsheet/jwt_security_cheatsheet.pdf
- https://gist.github.com/ejcx/cbf2e1bb75b02c7d77bc1cfcf84a167e
- DONE Test for expired token
- . Wrong key / credentials rejected (ISS?)
- Test truncated signature portion (3rd part)
- Test signature transpose bytes
- Test with no or wrong algorithm ensure won't accept
- Test inactive user can't login
- UPDATE: Update all 3rd party libs in use with server and re-test - UPDATE: Update all 3rd party libs in use with server and re-test
- It's been a while, some of the modules date to last fall - It's been a while, some of the modules date to last fall
- Test on OPS server - Test on OPS server
- WTF is this shit when logging is set to normal:
2019-01-16 16:13:03.4808|WARN|Microsoft.EntityFrameworkCore.Query|Query: '(from Widget <generated>_4 in DbSet<Widget> select [<generated>_4]).Skip(__p_1).Take(__p_2)' uses a row limiting operation (Skip/Take) without OrderBy which may lead to unpredictable results.
2019-01-16 16:13:03.6455|WARN|Microsoft.EntityFrameworkCore.Query|Query: '(from Widget <generated>_4 in DbSet<Widget> select [<generated>_4]).Skip(__p_1).Take(__p_2)' uses a row limiting operation (Skip/Take) without OrderBy which may lead to unpredictable results.
=-=-=-=-=-=- =-=-=-=-=-=-

4
docs/8.0/ayanova/docs/ops-config-jwt-secret.md
View File

@@ -5,10 +5,12 @@ AyaNova uses JSON Web Tokens (JWT) for authentication.
These time limited tokens are signed by the server using a secret key and issued to users when they log in to the AyaNova server. These time limited tokens are signed by the server using a secret key and issued to users when they log in to the AyaNova server.
Every time the user makes a request to the server the JWT is sent along as well and verified to be valid. Every time the user makes a request to the server the JWT is sent along as well and verified to be valid.
Tokens have a built in expiry mechanism to force users to re-login at periodic intervals in the range of days to weeks. Tokens have a built in expiry mechanism of 7 days from issue to force users to re-login at periodic intervals.
Users can be prevented from logging in even if they have a valid token by setting them to inactive. Users can be prevented from logging in even if they have a valid token by setting them to inactive.
All active tokens previously issued can be invalidated by changing this JWT Secret setting and restarting the server (or restarting the server and allowing it to choose a new secret value randomly if none is specified).
## Default ## Default
If no secret key is specified the server will generate a new, random one each time it starts and this means that remote users who previously authenticated will need to login freshly if the server is restarted. If no secret key is specified the server will generate a new, random one each time it starts and this means that remote users who previously authenticated will need to login freshly if the server is restarted.

5
server/AyaNova/Controllers/AuthController.cs
View File

@@ -28,6 +28,7 @@ namespace AyaNova.Api.Controllers
private readonly IConfiguration _configuration; private readonly IConfiguration _configuration;
private readonly ApiServerState serverState; private readonly ApiServerState serverState;
private readonly IMetrics metrics; private readonly IMetrics metrics;
private const int JWT_LIFETIME_DAYS=7;
/// <summary> /// <summary>
/// ctor /// ctor
@@ -71,7 +72,7 @@ namespace AyaNova.Api.Controllers
} }
int nFailedAuthDelay = 10000; int nFailedAuthDelay = 10000;
#if (DEBUG) #if (DEBUG)
nFailedAuthDelay = 1; nFailedAuthDelay = 1;
@@ -185,7 +186,7 @@ namespace AyaNova.Api.Controllers
//create a new datetime offset of now in utc time //create a new datetime offset of now in utc time
var iat = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);//timespan zero means zero time off utc / specifying this is a UTC datetime var iat = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);//timespan zero means zero time off utc / specifying this is a UTC datetime
var exp = new DateTimeOffset(DateTime.Now.AddDays(30).ToUniversalTime(), TimeSpan.Zero); var exp = new DateTimeOffset(DateTime.Now.AddDays(JWT_LIFETIME_DAYS).ToUniversalTime(), TimeSpan.Zero);
var payload = new Dictionary<string, object>() var payload = new Dictionary<string, object>()
{ {

5
server/AyaNova/Program.cs
View File

@@ -108,6 +108,10 @@ namespace AyaNova
var logRuleFilterOutMicrosoftEfCoreDbUpdateExceptions = new LoggingRule("Microsoft.EntityFrameworkCore.DbUpdateException", NLog.LogLevel.Trace, NLog.LogLevel.Error, nullTarget); var logRuleFilterOutMicrosoftEfCoreDbUpdateExceptions = new LoggingRule("Microsoft.EntityFrameworkCore.DbUpdateException", NLog.LogLevel.Trace, NLog.LogLevel.Error, nullTarget);
logRuleFilterOutMicrosoftEfCoreDbUpdateExceptions.Final = true; logRuleFilterOutMicrosoftEfCoreDbUpdateExceptions.Final = true;
//this rule is only intended to filter out this incorrect exception:
//2019-01-16 16:13:03.4808|WARN|Microsoft.EntityFrameworkCore.Query|Query: '(from Widget <generated>_4 in DbSet<Widget> select [<generated>_4]).Skip(__p_1).Take(__p_2)' uses a row limiting operation (Skip/Take) without OrderBy which may lead to unpredictable results.
var logRuleFilterOutMicrosoftEfCoreQueryExceptions = new LoggingRule("Microsoft.EntityFrameworkCore.Query", NLog.LogLevel.Trace, NLog.LogLevel.Error, nullTarget);
logRuleFilterOutMicrosoftEfCoreQueryExceptions.Final = true;
//Log all other regular items at selected level //Log all other regular items at selected level
@@ -127,6 +131,7 @@ namespace AyaNova
logConfig.LoggingRules.Add(logRuleFilterOutMicrosoftEfCoreConcurrencyExceptions); logConfig.LoggingRules.Add(logRuleFilterOutMicrosoftEfCoreConcurrencyExceptions);
logConfig.LoggingRules.Add(logRuleFilterOutMicrosoftEfCoreCommandExceptions); logConfig.LoggingRules.Add(logRuleFilterOutMicrosoftEfCoreCommandExceptions);
logConfig.LoggingRules.Add(logRuleFilterOutMicrosoftEfCoreDbUpdateExceptions); logConfig.LoggingRules.Add(logRuleFilterOutMicrosoftEfCoreDbUpdateExceptions);
logConfig.LoggingRules.Add(logRuleFilterOutMicrosoftEfCoreQueryExceptions);
} }
logConfig.LoggingRules.Add(logRuleAyaNovaItems); logConfig.LoggingRules.Add(logRuleAyaNovaItems);