Security Event Logging & Bugfixes (#1882)

* Fixed bookmarking failing to convert to webp * Brought the ag-swipe/ng-swipe code into Kavita due to being abandoned by developer and angular requirements. * Fixed average reading time per week finally * Cleaned up some extra decimals on time duration pipe * Don't try to update index.html for base url on local. Fixed ag-swipe on prod mode. * Updated a link on theme manager to point to the new github * Range knobs should be primary color on firefox too * Implemented the ability to get thumbnails of pages inside an archive or pdf. * Updated packages and fixed opds-ps 1.2 issue * Fixed lock file * Allow Kavita's Swagger to hit instances with CORS * Added IP/Request logging for Security Audits * Linked up Summary tag from CBL into Kavita. * Redid the migration so SecurityEvent now has UTC date as well. * Split security logging to a separate file * Update to new versions of checkout and setup * Added a PR check on PR body to ensure that it doesn't contain any characters that break our discord hook. * Updating action * optimize regex in action * Fixed an issue where fit to width would cause the actual height of the image to be shown for pagination bars, instead of rendered. * Added some new code in GetPageFromFiles to ensure pages that exceed array map down to last file. * Added comment about robots * Fixed up unit tests for new ReaderService signature * Kavita now cleans up empty reading lists at night * Don't allow nightly cleanup to run if we are running media conversion tasks * Fixed some bugs in typeahead, it should behave much more reliably. * Fix an issue where emulate comic book wasn't extending to the bottom properly * Added support for Series Chapter 001 Volume 001 * Refactor XFrameOptions="SameOrigins" out to allow users to override in appsettings.json. * Added a rate limiter for some endpoints, but it doesn't seem to be triggering --------- Co-authored-by: Robbie Davis <robbie@therobbiedavis.com>
2023-03-16 15:57:34 -05:00 · 2023-03-16 15:57:34 -05:00 · c10acb1279
commit c10acb1279
parent 21203414f0
60 changed files with 2890 additions and 302 deletions
--- a/API/Startup.cs
+++ b/API/Startup.cs
@ -6,6 +6,7 @@ using System.Linq;
 using System.Net;
 using System.Net.Sockets;
 using System.Reflection;
+using System.Threading.RateLimiting;
 using System.Threading.Tasks;
 using API.Constants;
 using API.Data;
@ -14,6 +15,7 @@ using API.Entities.Enums;
 using API.Extensions;
 using API.Logging;
 using API.Middleware;
+using API.Middleware.RateLimit;
 using API.Services;
 using API.Services.HostedServices;
 using API.Services.Tasks;
@ -179,6 +181,19 @@ public class Startup

        services.AddResponseCaching();

+        services.AddRateLimiter(options =>
+        {
+            options.AddPolicy("Authentication", httpContext =>
+                new AuthenticationRateLimiterPolicy().GetPartition(httpContext));
+            // RateLimitPartition.GetFixedWindowLimiter(httpContext.Connection.RemoteIpAddress?.ToString(),
+            //     partition => new FixedWindowRateLimiterOptions
+            //     {
+            //         AutoReplenishment = true,
+            //         PermitLimit = 1,
+            //         Window = TimeSpan.FromMinutes(1),
+            //     }));
+        });
+
        services.AddHangfire(configuration => configuration
            .UseSimpleAssemblyNameTypeSerializer()
            .UseRecommendedSerializerSettings()
@ -259,6 +274,7 @@ public class Startup


        app.UseMiddleware<ExceptionMiddleware>();
+        app.UseMiddleware<SecurityEventMiddleware>();

        if (env.IsDevelopment())
        {
@ -278,10 +294,16 @@ public class Startup

        app.UseForwardedHeaders();

-        var basePath = Configuration.BaseUrl;
+        app.UseRateLimiter();

+        var basePath = Configuration.BaseUrl;
        app.UsePathBase(basePath);
-        UpdateBaseUrlInIndex(basePath);
+        if (!env.IsDevelopment())
+        {
+            // We don't update the index.html in local as we don't serve from there
+            UpdateBaseUrlInIndex(basePath);
+        }
+

        app.UseRouting();

@ -292,7 +314,17 @@ public class Startup
                .AllowAnyHeader()
                .AllowAnyMethod()
                .AllowCredentials() // For SignalR token query param
-                .WithOrigins("http://localhost:4200", $"http://{GetLocalIpAddress()}:4200", $"http://{GetLocalIpAddress()}:5000")
+                .WithOrigins("http://localhost:4200", $"http://{GetLocalIpAddress()}:4200", $"http://{GetLocalIpAddress()}:5000", "https://kavita.majora2007.duckdns.org")
+                .WithExposedHeaders("Content-Disposition", "Pagination"));
+        }
+        else
+        {
+            // Allow CORS for Kavita's url
+            app.UseCors(policy => policy
+                .AllowAnyHeader()
+                .AllowAnyMethod()
+                .AllowCredentials() // For SignalR token query param
+                .WithOrigins("https://kavita.majora2007.duckdns.org")
                .WithExposedHeaders("Content-Disposition", "Pagination"));
        }

@ -311,6 +343,7 @@ public class Startup
            OnPrepareResponse = ctx =>
            {
                ctx.Context.Response.Headers[HeaderNames.CacheControl] = "public,max-age=" + TimeSpan.FromHours(24);
+                ctx.Context.Response.Headers["X-Robots-Tag"] = "noindex,nofollow";
            }
        });

@ -326,7 +359,7 @@ public class Startup
                new[] { "Accept-Encoding" };

            // Don't let the site be iframed outside the same origin (clickjacking)
-            context.Response.Headers.XFrameOptions = "SAMEORIGIN";
+            context.Response.Headers.XFrameOptions = Configuration.XFrameOptions;

            // Setup CSP to ensure we load assets only from these origins
            context.Response.Headers.Add("Content-Security-Policy", "frame-ancestors 'none';");
@ -359,19 +392,26 @@ public class Startup
        });

        var _logger = serviceProvider.GetRequiredService<ILogger<Startup>>();
-        _logger.LogInformation("Starting with base url as {baseUrl}", basePath);
+        _logger.LogInformation("Starting with base url as {BaseUrl}", basePath);
    }

    private static void UpdateBaseUrlInIndex(string baseUrl)
    {
-        if (new OsInfo(Array.Empty<IOsVersionAdapter>()).IsDocker) return;
-        var htmlDoc = new HtmlDocument();
-        var indexHtmlPath = Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "index.html");
-        htmlDoc.Load(indexHtmlPath);
+        try
+        {
+            if (new OsInfo(Array.Empty<IOsVersionAdapter>()).IsDocker) return;
+            var htmlDoc = new HtmlDocument();
+            var indexHtmlPath = Path.Combine(Directory.GetCurrentDirectory(), "wwwroot", "index.html");
+            htmlDoc.Load(indexHtmlPath);

-        var baseNode = htmlDoc.DocumentNode.SelectSingleNode("/html/head/base");
-        baseNode.SetAttributeValue("href", baseUrl);
-        htmlDoc.Save(indexHtmlPath);
+            var baseNode = htmlDoc.DocumentNode.SelectSingleNode("/html/head/base");
+            baseNode.SetAttributeValue("href", baseUrl);
+            htmlDoc.Save(indexHtmlPath);
+        }
+        catch (Exception ex)
+        {
+            Log.Error(ex, "There was an error setting base url");
+        }
    }

    private static void OnShutdown()