Skip to content

Improve security of remote app connections #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 8 commits into from
Aug 30, 2022
Merged

Improve security of remote app connections #169

merged 8 commits into from
Aug 30, 2022

Conversation

@mjrousos
Copy link
Member

@mjrousos mjrousos commented Aug 24, 2022

This helps to ensure users are choosing strong API keys by requiring them to be parsable as GUIDs. Also updates docs to explain the API key requirements and recommend HTTPS for the ASP.NET app to ensure the ASP.NET Core app can request data from it in production scenarios securely.

Fixes #144

twsouthwick
twsouthwick approved these changes Aug 24, 2022
View reviewed changes
@twsouthwick twsouthwick mentioned this pull request Aug 24, 2022
Merged
@mjrousos mjrousos requested a review from twsouthwick August 24, 2022 20:30
adityamandaleeka
adityamandaleeka reviewed Aug 24, 2022
View reviewed changes
@mjrousos
Pull samples' API keys out into configuration
9999978 
This demonstrates better practice and makes it less likely users will copy the keys directly
twsouthwick
twsouthwick approved these changes Aug 29, 2022
View reviewed changes
@khellang
Copy link
Member

khellang commented Aug 29, 2022

Why force hexadecimal GUIDs? You could shave a lot of extra bytes on the wire by choosing more compact representations using higher-base encodings, while keeping the same amount of entropy.

If the goal is to enforce 128 bits of entropy, could you have a low-level ReadOnlyMemory<byte> (or just byte[]?) property with some convenience methods/propeties to set it using a hexadecimal GUID? Then validate the bytes instead?

@mjrousos
Copy link
Member Author

mjrousos commented Aug 30, 2022

@khellang yea, there are a lot of options here. I prefer a string over a byte[] since that makes it easier to read from some config sources.

And we could just say "string with minimum 12 characters" or something like that, but forcing the characters to be hex digits makes it less likely users will choose a "bad" password.

I'll re-work this given @twsouthwick's recent changes so that it just validates with a regex data annotation looking for 32 hex characters (with or without dashes or parentheses).

@mjrousos
Merge remote-tracking branch 'origin/main' into mjrousos/144
dc9af70 
# Conflicts:
#	samples/MvcApp/Web.config
#	src/Microsoft.AspNetCore.SystemWebAdapters.CoreServices/RemoteAppClientExtensions.cs
#	src/Microsoft.AspNetCore.SystemWebAdapters.CoreServices/RemoteAppClientOptions.cs
#	src/Microsoft.AspNetCore.SystemWebAdapters.FrameworkServices/RemoteAppServerExtensions.cs
@mjrousos
Implement API key validation via regex
e4a4199
@mjrousos mjrousos requested a review from twsouthwick August 30, 2022 18:56
twsouthwick
twsouthwick requested changes Aug 30, 2022
View reviewed changes
@mjrousos mjrousos requested a review from twsouthwick August 30, 2022 19:36
@mjrousos mjrousos merged commit f136fe4 into main Aug 30, 2022
@mjrousos mjrousos deleted the mjrousos/144 branch August 30, 2022 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adityamandaleeka adityamandaleeka adityamandaleeka left review comments

@twsouthwick twsouthwick twsouthwick approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Feedback from review of remote app authentication design

5 participants

@mjrousos @khellang @adityamandaleeka @twsouthwick