notfire/Iceshrimp.NET
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Suppress Argon2-related DPA issues correctly & add justifications, improve AuthController.Login

Browse source
This commit is contained in:
Laura Hausmann 2024-01-28 01:40:44 +01:00
parent c7c8dc501d
commit 8c7ebbd865
No known key found for this signature in database
GPG key ID: D044E84C5BE01605
2 changed files with 13 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
Iceshrimp.Backend/Controllers/AuthController.cs
View file

@ -1,3 +1,4 @@
using System.Diagnostics.CodeAnalysis;
using System.Net.Mime;
using Iceshrimp.Backend.Controllers.Schemas;
using Iceshrimp.Backend.Core.Database;
@ -46,7 +47,9 @@ public class AuthController(DatabaseContext db, UserService userSvc) : Controlle
[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(AuthResponse))]
[ProducesResponseType(StatusCodes.Status400BadRequest, Type = typeof(ErrorResponse))]
[ProducesResponseType(StatusCodes.Status403Forbidden, Type = typeof(ErrorResponse))]
public async Task<IActionResult> Login([FromBody] AuthRequest request, Session? session = null) {
[SuppressMessage("ReSharper.DPA", "DPA0011: High execution time of MVC action",
Justification = "Argon2 is execution time-heavy by design")]
public async Task<IActionResult> Login([FromBody] AuthRequest request) {
var user = await db.Users.FirstOrDefaultAsync(p => p.Host == null &&
p.UsernameLower == request.Username.ToLowerInvariant());
if (user == null)
@ -57,6 +60,7 @@ public class AuthController(DatabaseContext db, UserService userSvc) : Controlle
if (!AuthHelpers.ComparePassword(request.Password, profile.Password))
return StatusCode(StatusCodes.Status403Forbidden);
var session = HttpContext.GetSession();
if (session == null) {
session = new Session {
Id = IdHelpers.GenerateSlowflakeId(),
@ -103,6 +107,8 @@ public class AuthController(DatabaseContext db, UserService userSvc) : Controlle
[ProducesResponseType(StatusCodes.Status200OK, Type = typeof(AuthResponse))]
[ProducesResponseType(StatusCodes.Status400BadRequest, Type = typeof(ErrorResponse))]
[ProducesResponseType(StatusCodes.Status403Forbidden, Type = typeof(ErrorResponse))]
[SuppressMessage("ReSharper.DPA", "DPA0011: High execution time of MVC action",
Justification = "Argon2 is execution time-heavy by design")]
public async Task<IActionResult> ChangePassword([FromBody] ChangePasswordRequest request) {
var user = HttpContext.GetUser() ?? throw new GracefulException("HttpContext.GetUser() was null");
var userProfile = await db.UserProfiles.FirstOrDefaultAsync(p => p.User == user);

8
Iceshrimp.Backend/Core/Helpers/AuthHelpers.cs
View file

@ -5,12 +5,16 @@ namespace Iceshrimp.Backend.Core.Helpers;
public static class AuthHelpers {
// TODO: Implement legacy (bcrypt) hash detection
[SuppressMessage("ReSharper.DPA", "DPA0003: Excessive memory allocations in LOH")]
[SuppressMessage("ReSharper.DPA", "DPA0003: Excessive memory allocations in LOH",
MessageId = "type: System.UInt64[]; size: 65MB",
Justification = "Argon2 is memory-heavy by design")]
public static bool ComparePassword(string password, string hash) {
return Argon2.Verify(hash, password);
}
[SuppressMessage("ReSharper.DPA", "DPA0003: Excessive memory allocations in LOH")]
[SuppressMessage("ReSharper.DPA", "DPA0003: Excessive memory allocations in LOH",
MessageId = "type: System.UInt64[]; size: 65MB",
Justification = "Argon2 is memory-heavy by design")]
public static string HashPassword(string password) {
return Argon2.Hash(password, parallelism: 4);
}