Security Hotfix (#1415)

* Updated ngx-extended-pdf-viewer to 14.5.2 + misc security vuln * Hooked up remove from want to read AND fixed a bug in the logic that was removing everything BUT what was passed. Allow for bookmarks to have date info for better ordering. * Implemented a quick way to set darkneses level on manga reader for when nightlight just isn't dark enough * Added Japanese Series name support in the Parser * Updated our security file with our Huntr. * Fixed a security vulnerability where through the API, an unauthorized user could delete/modify reading lists that did not belong to them. Fixed a bug where when creating a reading list with the name of another users, the API would throw an exception (but reading list would still get created) * Ensure all reading list apis are authorized * Ensured all APIs require authentication, except those that explicitly don't. All APIs are default requiring Authentication. Fixed a security vulnerability which would allow a user to take over an admin account. * Fixed a bug where cover-upload would accept filenames that were not expected. * Explicitly check that a user has access to the pdf file before we serve it back. * Enabled lock out when invalid user auth occurs. After 5 invalid auths, the user account will be locked out for 10 mins.
2022-08-08 15:47:37 -05:00 · 2022-08-08 15:47:37 -05:00 · 88b5ebeb69
commit 88b5ebeb69
parent 331e0d0ca9
35 changed files with 1988 additions and 358 deletions
--- a/API/Controllers/AccountController.cs
+++ b/API/Controllers/AccountController.cs
@ -70,13 +70,21 @@ namespace API.Controllers
        /// </summary>
        /// <param name="resetPasswordDto"></param>
        /// <returns></returns>
+        [AllowAnonymous]
        [HttpPost("reset-password")]
        public async Task<ActionResult> UpdatePassword(ResetPasswordDto resetPasswordDto)
        {
+            // TODO: Log this request to Audit Table
            _logger.LogInformation("{UserName} is changing {ResetUser}'s password", User.GetUsername(), resetPasswordDto.UserName);
-            var user = await _userManager.Users.SingleAsync(x => x.UserName == resetPasswordDto.UserName);

-            if (resetPasswordDto.UserName != User.GetUsername() && !(User.IsInRole(PolicyConstants.AdminRole) || User.IsInRole(PolicyConstants.ChangePasswordRole)))
+            var user = await _userManager.Users.SingleOrDefaultAsync(x => x.UserName == resetPasswordDto.UserName);
+            if (user == null) return Ok(); // Don't report BadRequest as that would allow brute forcing to find accounts on system
+
+
+            if (resetPasswordDto.UserName == User.GetUsername() && !(User.IsInRole(PolicyConstants.ChangePasswordRole) || User.IsInRole(PolicyConstants.AdminRole)))
+                return Unauthorized("You are not permitted to this operation.");
+
+            if (resetPasswordDto.UserName != User.GetUsername() && !User.IsInRole(PolicyConstants.AdminRole))
                return Unauthorized("You are not permitted to this operation.");

            var errors = await _accountService.ChangeUserPassword(user, resetPasswordDto.Password);
@ -94,6 +102,7 @@ namespace API.Controllers
        /// </summary>
        /// <param name="registerDto"></param>
        /// <returns></returns>
+        [AllowAnonymous]
        [HttpPost("register")]
        public async Task<ActionResult<UserDto>> RegisterFirstUser(RegisterDto registerDto)
        {
@ -158,6 +167,7 @@ namespace API.Controllers
        /// </summary>
        /// <param name="loginDto"></param>
        /// <returns></returns>
+        [AllowAnonymous]
        [HttpPost("login")]
        public async Task<ActionResult<UserDto>> Login(LoginDto loginDto)
        {
@ -176,13 +186,13 @@ namespace API.Controllers
                    "You are missing an email on your account. Please wait while we migrate your account.");
            }

-            if (!validPassword)
-            {
-                return Unauthorized("Your credentials are not correct");
-            }
-
            var result = await _signInManager
-                .CheckPasswordSignInAsync(user, loginDto.Password, false);
+                .CheckPasswordSignInAsync(user, loginDto.Password, true);
+
+            if (result.IsLockedOut)
+            {
+                return Unauthorized("You've been locked out from too many authorization attempts. Please wait 10 minutes.");
+            }

            if (!result.Succeeded)
            {
@ -215,6 +225,7 @@ namespace API.Controllers
        /// </summary>
        /// <param name="tokenRequestDto"></param>
        /// <returns></returns>
+        [AllowAnonymous]
        [HttpPost("refresh-token")]
        public async Task<ActionResult<TokenRequestDto>> RefreshToken([FromBody] TokenRequestDto tokenRequestDto)
        {
@ -486,6 +497,7 @@ namespace API.Controllers
            return BadRequest("There was an error setting up your account. Please check the logs");
        }

+        [AllowAnonymous]
        [HttpPost("confirm-email")]
        public async Task<ActionResult<UserDto>> ConfirmEmail(ConfirmEmailDto dto)
        {