C
C#•3mo ago
Strax

Identity framework yay or nay?

I am building a local password manger (for a local server). It's meant to be used by 1 user so one account. It should only have a master password. Does it make sense to use identity framework for that?
22 Replies
Pobiega
Pobiega•3mo ago
No Identity would be a pretty big overkill if you explicitly just want a single user, and no roles, claims etc
Strax
StraxOP•3mo ago
I don't mind going overkill if its overkill in terms of security but if it doesn't provide more security then it is pointless :franksinatra: speaking of security where do I keep my master password?
The Fog from Human Resources
The Fog from Human Resources•3mo ago
you dont :thinker:
Strax
StraxOP•3mo ago
:catthinking: like it will be hashed and salted and stuff
Jimmacle
Jimmacle•3mo ago
it would be overkill in terms of features and complexity i mean, you can use it but you'd only be using a tiny piece of it
Strax
StraxOP•3mo ago
:misty: Just a master password is easier
Jimmacle
Jimmacle•3mo ago
probably you can implement the exact same amount of security that identity does (PBKDF2-HMAC-SHA256 iirc) separately i actually already extracted the password hashing/verification, lemme find it
Strax
StraxOP•3mo ago
:peepoNoted: Sounds interesting I hope it's not too complicated to implement
Jimmacle
Jimmacle•3mo ago
    private const int SaltSize = 128 / 8;
    private const int HashSize = 256 / 8;
    private const KeyDerivationPrf Prf = KeyDerivationPrf.HMACSHA512;
    private const int Iterations = 100000;

    private static byte[] HashToken(string token)
    {
        var salt = RandomNumberGenerator.GetBytes(SaltSize);
        var subkey = KeyDerivation.Pbkdf2(token, salt, Prf, Iterations, HashSize);
        byte[] outputBytes = [..salt, ..subkey];
        return outputBytes;
    }

    private static bool VerifyToken(string token, byte[] tokenHash)
    {
        var salt = tokenHash[..SaltSize];
        var subkey = tokenHash[SaltSize..];
        var testSubkey = KeyDerivation.Pbkdf2(token, salt, Prf, Iterations, HashSize);
        return CryptographicOperations.FixedTimeEquals(subkey, testSubkey);
    }
    private const int SaltSize = 128 / 8;
    private const int HashSize = 256 / 8;
    private const KeyDerivationPrf Prf = KeyDerivationPrf.HMACSHA512;
    private const int Iterations = 100000;

    private static byte[] HashToken(string token)
    {
        var salt = RandomNumberGenerator.GetBytes(SaltSize);
        var subkey = KeyDerivation.Pbkdf2(token, salt, Prf, Iterations, HashSize);
        byte[] outputBytes = [..salt, ..subkey];
        return outputBytes;
    }

    private static bool VerifyToken(string token, byte[] tokenHash)
    {
        var salt = tokenHash[..SaltSize];
        var subkey = tokenHash[SaltSize..];
        var testSubkey = KeyDerivation.Pbkdf2(token, salt, Prf, Iterations, HashSize);
        return CryptographicOperations.FixedTimeEquals(subkey, testSubkey);
    }
Strax
StraxOP•3mo ago
Damn one class
Jimmacle
Jimmacle•3mo ago
that's the bare minimum to hash and verify passwords the same way identity does
Strax
StraxOP•3mo ago
Cool
Jimmacle
Jimmacle•3mo ago
it might depend on some asp.net core library
Strax
StraxOP•3mo ago
Random and stuff yep Well thank you I'll work on it tomorrow Ill also need to use it as like authentication To block the access to the api if you're not logged in :misty:
Pobiega
Pobiega•3mo ago
You can very easily apply a middleware or your own actionfilter much like [Authorize] that handles it
Strax
StraxOP•3mo ago
Authorise is library? Or A tag for the end point
Pobiega
Pobiega•3mo ago
its an attribute you can stick on endpoints or controllers
Strax
StraxOP•3mo ago
Like [required] And how do I configure what authorize checks for?
Pobiega
Pobiega•3mo ago
It uses the built in authorization system that identity also uses. You could make your own authenticationschema that would work with it, but it might be simpler to just make up your own thing This is kinda what I meant with that identity is overkill here, you are trying to force a much more complicated system to do what is actually very simple
Strax
StraxOP•3mo ago
Well if I didn't use the identity How do I lock my endpoints behind a master password? 🤔I'll figure it out
Pobiega
Pobiega•3mo ago
create a login endpoint if the user gives the correct password, set a cookie look for that cookie in protected endpoints you can extract that behaviour to a middleware or actionfilter and it would behave much like [Authorize]
Strax
StraxOP•3mo ago
Cool :blobthumbsup: thanks for the help
Want results from more Discord servers?
Add your server