From 8c7ebbd8650d454f5867369071d6b0f66510023c Mon Sep 17 00:00:00 2001 From: Laura Hausmann Date: Sun, 28 Jan 2024 01:40:44 +0100 Subject: [PATCH] Suppress Argon2-related DPA issues correctly & add justifications, improve AuthController.Login --- Iceshrimp.Backend/Controllers/AuthController.cs | 8 +++++++- Iceshrimp.Backend/Core/Helpers/AuthHelpers.cs | 8 ++++++-- 2 files changed, 13 insertions(+), 3 deletions(-) diff --git a/Iceshrimp.Backend/Controllers/AuthController.cs b/Iceshrimp.Backend/Controllers/AuthController.cs index 248be8fb..e2dd2a10 100644 --- a/Iceshrimp.Backend/Controllers/AuthController.cs +++ b/Iceshrimp.Backend/Controllers/AuthController.cs @@ -1,3 +1,4 @@ +using System.Diagnostics.CodeAnalysis; using System.Net.Mime; using Iceshrimp.Backend.Controllers.Schemas; using Iceshrimp.Backend.Core.Database; @@ -46,7 +47,9 @@ public class AuthController(DatabaseContext db, UserService userSvc) : Controlle [ProducesResponseType(StatusCodes.Status200OK, Type = typeof(AuthResponse))] [ProducesResponseType(StatusCodes.Status400BadRequest, Type = typeof(ErrorResponse))] [ProducesResponseType(StatusCodes.Status403Forbidden, Type = typeof(ErrorResponse))] - public async Task Login([FromBody] AuthRequest request, Session? session = null) { + [SuppressMessage("ReSharper.DPA", "DPA0011: High execution time of MVC action", + Justification = "Argon2 is execution time-heavy by design")] + public async Task Login([FromBody] AuthRequest request) { var user = await db.Users.FirstOrDefaultAsync(p => p.Host == null && p.UsernameLower == request.Username.ToLowerInvariant()); if (user == null) @@ -57,6 +60,7 @@ public class AuthController(DatabaseContext db, UserService userSvc) : Controlle if (!AuthHelpers.ComparePassword(request.Password, profile.Password)) return StatusCode(StatusCodes.Status403Forbidden); + var session = HttpContext.GetSession(); if (session == null) { session = new Session { Id = IdHelpers.GenerateSlowflakeId(), @@ -103,6 +107,8 @@ public class AuthController(DatabaseContext db, UserService userSvc) : Controlle [ProducesResponseType(StatusCodes.Status200OK, Type = typeof(AuthResponse))] [ProducesResponseType(StatusCodes.Status400BadRequest, Type = typeof(ErrorResponse))] [ProducesResponseType(StatusCodes.Status403Forbidden, Type = typeof(ErrorResponse))] + [SuppressMessage("ReSharper.DPA", "DPA0011: High execution time of MVC action", + Justification = "Argon2 is execution time-heavy by design")] public async Task ChangePassword([FromBody] ChangePasswordRequest request) { var user = HttpContext.GetUser() ?? throw new GracefulException("HttpContext.GetUser() was null"); var userProfile = await db.UserProfiles.FirstOrDefaultAsync(p => p.User == user); diff --git a/Iceshrimp.Backend/Core/Helpers/AuthHelpers.cs b/Iceshrimp.Backend/Core/Helpers/AuthHelpers.cs index 036e599e..d98b9911 100644 --- a/Iceshrimp.Backend/Core/Helpers/AuthHelpers.cs +++ b/Iceshrimp.Backend/Core/Helpers/AuthHelpers.cs @@ -5,12 +5,16 @@ namespace Iceshrimp.Backend.Core.Helpers; public static class AuthHelpers { // TODO: Implement legacy (bcrypt) hash detection - [SuppressMessage("ReSharper.DPA", "DPA0003: Excessive memory allocations in LOH")] + [SuppressMessage("ReSharper.DPA", "DPA0003: Excessive memory allocations in LOH", + MessageId = "type: System.UInt64[]; size: 65MB", + Justification = "Argon2 is memory-heavy by design")] public static bool ComparePassword(string password, string hash) { return Argon2.Verify(hash, password); } - [SuppressMessage("ReSharper.DPA", "DPA0003: Excessive memory allocations in LOH")] + [SuppressMessage("ReSharper.DPA", "DPA0003: Excessive memory allocations in LOH", + MessageId = "type: System.UInt64[]; size: 65MB", + Justification = "Argon2 is memory-heavy by design")] public static string HashPassword(string password) { return Argon2.Hash(password, parallelism: 4); }