Security¶
Administrator¶
In BlazorBoilerplate.Constants project change Administrator name to something less obvious than “admin”.
namespace BlazorBoilerplate.Constants
{
public static class DefaultUserNames
{
public const string Administrator = "iamtheboss";
public const string User = "user";
}
}
In the same project reinforce password policy.
namespace BlazorBoilerplate.Constants
{
public static class PasswordPolicy
{
public const bool RequireDigit = true;
public const int RequiredLength = 8;
public const bool RequireNonAlphanumeric = true;
public const bool RequireUppercase = true;
public const bool RequireLowercase = true;
}
}
In DatabaseInitializer in BlazorBoilerplate.Storage project change Administrator password “admin123” to satisfy new policy.
public async Task EnsureAdminIdentitiesAsync()
{
await EnsureRoleAsync(DefaultRoleNames.Administrator, _entityPermissions.GetAllPermissionValues());
await CreateUserAsync(DefaultUserNames.Administrator, "X!PvG5+@", "Admin", "Blazor", "admin@blazorboilerplate.com", "+1 (123) 456-7890", new string[] { DefaultRoleNames.Administrator });
API endpoints¶
Imagine a malicious user writing or using a tool to call directly your API endpoints bypassing your UI, are your API endpoints protected by the right policy?
[HttpGet]
[Authorize(Policies.IsAdmin)]
public IQueryable<ApplicationUser> Users()
{
return persistenceManager.GetEntities<ApplicationUser>().AsNoTracking().Include(i => i.UserRoles).ThenInclude(i => i.Role).OrderBy(i => i.UserName);
}
What about the Breeze SaveChanges endpoint?
[AllowAnonymous]
[HttpPost]
public SaveResult SaveChanges([FromBody] JObject saveBundle)
...
First of all remove [AllowAnonymous] attribute. An authenticated malicious user could post a proper json to update some EF entities. To avoid this, decorate your EF entities with proper Permission attribute. E.g.
namespace BlazorBoilerplate.Infrastructure.Storage.DataModels
{
[Permissions(Actions.Delete)]
public partial class Todo : IAuditable, ISoftDelete
...
Add the entity permissions to a role and put a user in this role.