DataInbox - some security fixes
This commit is contained in:
Michał Zieliski
@@ -1,4 +1,5 @@
|
|||||||
using System.Data;
|
using System.Data;
|
||||||
|
using System.Text;
|
||||||
using Microsoft.AspNetCore.Authorization;
|
using Microsoft.AspNetCore.Authorization;
|
||||||
using Microsoft.AspNetCore.Mvc;
|
using Microsoft.AspNetCore.Mvc;
|
||||||
using Microsoft.Data.SqlClient;
|
using Microsoft.Data.SqlClient;
|
||||||
@@ -43,6 +44,61 @@ public class DataInboxController : Controller
|
|||||||
|
|
||||||
try
|
try
|
||||||
{
|
{
|
||||||
|
if (
|
||||||
|
!Request.Headers.TryGetValue("Authorization", out var authHeader))
|
||||||
|
{
|
||||||
|
_logsController.AddEntry(new LogEntry
|
||||||
|
{
|
||||||
|
Title = $"Unauthorized request - no authorization header ({dataInbox.Source})",
|
||||||
|
Type = LogEntryType.Warning,
|
||||||
|
LogType = LogType.DataInbox,
|
||||||
|
CreatedAt = DateTime.UtcNow
|
||||||
|
});
|
||||||
|
return Unauthorized();
|
||||||
|
}
|
||||||
|
|
||||||
|
var credentialsArr = authHeader.ToString().Split(" ");
|
||||||
|
if (credentialsArr.Length != 2)
|
||||||
|
{
|
||||||
|
_logsController.AddEntry(new LogEntry
|
||||||
|
{
|
||||||
|
Title = $"Unauthorized request - wrong auth header format ({dataInbox.Source})",
|
||||||
|
Type = LogEntryType.Warning,
|
||||||
|
LogType = LogType.DataInbox,
|
||||||
|
CreatedAt = DateTime.UtcNow
|
||||||
|
});
|
||||||
|
return Unauthorized();
|
||||||
|
}
|
||||||
|
|
||||||
|
var authValue = Encoding.UTF8.GetString(Convert.FromBase64String(credentialsArr[1]));
|
||||||
|
var username = authValue.Split(':')[0];
|
||||||
|
var password = authValue.Split(':')[1];
|
||||||
|
if (username != _configuration["morska-user"] || password != _configuration["morska-pass"])
|
||||||
|
{
|
||||||
|
_logsController.AddEntry(new LogEntry
|
||||||
|
{
|
||||||
|
Title = $"Unauthorized request - bad credentials ({dataInbox.Source})",
|
||||||
|
Type = LogEntryType.Warning,
|
||||||
|
LogType = LogType.PowerBi,
|
||||||
|
CreatedAt = DateTime.UtcNow
|
||||||
|
});
|
||||||
|
return Unauthorized();
|
||||||
|
}
|
||||||
|
|
||||||
|
// check if datainbox.data is base64 encoded value
|
||||||
|
if (!string.IsNullOrEmpty(dataInbox.Data) && !IsBase64String(dataInbox.Data))
|
||||||
|
{
|
||||||
|
_logsController.AddEntry(new LogEntry
|
||||||
|
{
|
||||||
|
Title = $"Invalid data format - not base64 encoded ({dataInbox.Source})",
|
||||||
|
Type = LogEntryType.Warning,
|
||||||
|
LogType = LogType.DataInbox,
|
||||||
|
CreatedAt = DateTime.UtcNow
|
||||||
|
});
|
||||||
|
return BadRequest("Invalid data format - not base64 encoded");
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
dataInbox.Id = Guid.NewGuid();
|
dataInbox.Id = Guid.NewGuid();
|
||||||
dataInbox.CreatedAt = DateTime.UtcNow;
|
dataInbox.CreatedAt = DateTime.UtcNow;
|
||||||
_db.DataInbox.Add(dataInbox);
|
_db.DataInbox.Add(dataInbox);
|
||||||
@@ -77,4 +133,11 @@ public class DataInboxController : Controller
|
|||||||
{
|
{
|
||||||
return Ok(_db.DataInbox);
|
return Ok(_db.DataInbox);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// helpers
|
||||||
|
private bool IsBase64String(string data)
|
||||||
|
{
|
||||||
|
var bytes = new Span<byte>(new byte[256]);
|
||||||
|
return Convert.TryFromBase64String(data, bytes, out _);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
@@ -230,7 +230,8 @@ public class LayersController : Controller
|
|||||||
{
|
{
|
||||||
var importer = new MorskaFk2Importer(_db, _googleSheetValues, this);
|
var importer = new MorskaFk2Importer(_db, _googleSheetValues, this);
|
||||||
importer.Import(importWorker);
|
importer.Import(importWorker);
|
||||||
|
Thread.Sleep(5000); // be aware of GSheet API quota
|
||||||
|
|
||||||
_logsController.AddEntry(new LogEntry
|
_logsController.AddEntry(new LogEntry
|
||||||
{
|
{
|
||||||
Title = $"{importWorker.Name}, {importWorker.Id}",
|
Title = $"{importWorker.Name}, {importWorker.Id}",
|
||||||
|
|||||||
@@ -60,7 +60,9 @@ var app = builder.Build();
|
|||||||
app.Use(async (context, next) =>
|
app.Use(async (context, next) =>
|
||||||
{
|
{
|
||||||
var token = context.Request.Headers.Authorization.ToString();
|
var token = context.Request.Headers.Authorization.ToString();
|
||||||
if (token.Length > 0 && !context.Request.Path.ToString().Contains("getForPowerBI")) {
|
if (token.Length > 0
|
||||||
|
&& !context.Request.Path.ToString().Contains("getForPowerBI")
|
||||||
|
&& !context.Request.Path.ToString().Contains("DataInbox/Add")) {
|
||||||
var handler = new JwtSecurityTokenHandler();
|
var handler = new JwtSecurityTokenHandler();
|
||||||
var data = handler.ReadJwtToken(token.Split(' ')[1]);
|
var data = handler.ReadJwtToken(token.Split(' ')[1]);
|
||||||
context.Request.Headers.Append("UserId", new Microsoft.Extensions.Primitives.StringValues(data.Subject));
|
context.Request.Headers.Append("UserId", new Microsoft.Extensions.Primitives.StringValues(data.Subject));
|
||||||
|
|||||||
@@ -15,6 +15,8 @@
|
|||||||
"apiKey": "10763478CB738D4ecb2h76g803478CB738D4e",
|
"apiKey": "10763478CB738D4ecb2h76g803478CB738D4e",
|
||||||
"powerBI-user": "powerbi",
|
"powerBI-user": "powerbi",
|
||||||
"powerBI-pass": "0F9C7E2D19FSLOCgKexz2h76g802tj6a",
|
"powerBI-pass": "0F9C7E2D19FSLOCgKexz2h76g802tj6a",
|
||||||
|
"morska-user": "morska",
|
||||||
|
"morska-pass": "0F9C7E8CB738gK2h76g803478CB",
|
||||||
"exportDirectory": "1eTyCUzYbzVQB8f8sbNmvnebFXyW2-axt",
|
"exportDirectory": "1eTyCUzYbzVQB8f8sbNmvnebFXyW2-axt",
|
||||||
"appLogsFile": "13PuDvS3_HAYoSLOCgKexzlzIDLUilkApUF8QiJMTae0",
|
"appLogsFile": "13PuDvS3_HAYoSLOCgKexzlzIDLUilkApUF8QiJMTae0",
|
||||||
"apiLocalUrl": "localhost:5400",
|
"apiLocalUrl": "localhost:5400",
|
||||||
|
|||||||
Reference in New Issue
Block a user