DataInbox - some security fixes

2024-07-15 19:46:02 +02:00
parent 26850c73ef
commit 6295e5263c
4 changed files with 70 additions and 2 deletions
--- a/WebAPI/Controllers/DataInboxController.cs
+++ b/WebAPI/Controllers/DataInboxController.cs
@@ -1,4 +1,5 @@
 using System.Data;
+using System.Text;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.Data.SqlClient;
@@ -43,6 +44,61 @@ public class DataInboxController : Controller

        try
        {
+            if (
+                !Request.Headers.TryGetValue("Authorization", out var authHeader))
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - no authorization header ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+
+            var credentialsArr = authHeader.ToString().Split(" ");
+            if (credentialsArr.Length != 2)
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - wrong auth header format ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+
+            var authValue = Encoding.UTF8.GetString(Convert.FromBase64String(credentialsArr[1]));
+            var username = authValue.Split(':')[0];
+            var password = authValue.Split(':')[1];
+            if (username != _configuration["morska-user"] || password != _configuration["morska-pass"])
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Unauthorized request - bad credentials ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.PowerBi,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return Unauthorized();
+            }
+            
+            // check if datainbox.data is base64 encoded value
+            if (!string.IsNullOrEmpty(dataInbox.Data) && !IsBase64String(dataInbox.Data))
+            {
+                _logsController.AddEntry(new LogEntry
+                {
+                    Title = $"Invalid data format - not base64 encoded ({dataInbox.Source})",
+                    Type = LogEntryType.Warning,
+                    LogType = LogType.DataInbox,
+                    CreatedAt = DateTime.UtcNow
+                });
+                return BadRequest("Invalid data format - not base64 encoded");
+            }
+            
+            
            dataInbox.Id = Guid.NewGuid();
            dataInbox.CreatedAt = DateTime.UtcNow;
            _db.DataInbox.Add(dataInbox);
@@ -77,4 +133,11 @@ public class DataInboxController : Controller
    {
        return Ok(_db.DataInbox);
    }
+    
+    // helpers
+    private bool IsBase64String(string data)
+    {
+        var bytes = new Span<byte>(new byte[256]); 
+        return Convert.TryFromBase64String(data, bytes, out _);
+    }
 }
--- a/WebAPI/Controllers/LayersController.cs
+++ b/WebAPI/Controllers/LayersController.cs
@@ -230,7 +230,8 @@ public class LayersController : Controller
                    {
                        var importer = new MorskaFk2Importer(_db, _googleSheetValues, this);
                        importer.Import(importWorker);
-
+                        Thread.Sleep(5000); // be aware of GSheet API quota
+                        
                        _logsController.AddEntry(new LogEntry
                        {
                            Title = $"{importWorker.Name}, {importWorker.Id}",
--- a/WebAPI/Program.cs
+++ b/WebAPI/Program.cs
@@ -60,7 +60,9 @@ var app = builder.Build();
 app.Use(async (context, next) =>
 {
    var token = context.Request.Headers.Authorization.ToString();
-    if (token.Length > 0 && !context.Request.Path.ToString().Contains("getForPowerBI")) {
+    if (token.Length > 0 
+        && !context.Request.Path.ToString().Contains("getForPowerBI")
+        && !context.Request.Path.ToString().Contains("DataInbox/Add")) {
        var handler = new JwtSecurityTokenHandler();
        var data = handler.ReadJwtToken(token.Split(' ')[1]);
        context.Request.Headers.Append("UserId", new Microsoft.Extensions.Primitives.StringValues(data.Subject));
--- a/WebAPI/appsettings.Development.json
+++ b/WebAPI/appsettings.Development.json
@@ -15,6 +15,8 @@
  "apiKey": "10763478CB738D4ecb2h76g803478CB738D4e",
  "powerBI-user": "powerbi",
  "powerBI-pass": "0F9C7E2D19FSLOCgKexz2h76g802tj6a",
+  "morska-user": "morska",
+  "morska-pass": "0F9C7E8CB738gK2h76g803478CB",
  "exportDirectory": "1eTyCUzYbzVQB8f8sbNmvnebFXyW2-axt",
  "appLogsFile": "13PuDvS3_HAYoSLOCgKexzlzIDLUilkApUF8QiJMTae0",
  "apiLocalUrl": "localhost:5400",