https://blog.dfaiv.devGatsbyJSSun, 10 Jan 2021 17:47:46 GMThttps://blog.dfaiv.devfoo/barhttps://blog.dfaiv.devfoo/barMon, 07 Dec 2020 00:00:00 GMT<p>I wanted to add authorization to a SPA web api backend (using asp.net core). The build in solutions seem to either be <strong><a href="https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-api-authorization?view=aspnetcore-5.0" target="_blank" rel="nofollow noopener noreferrer">IdentityServer4</a></strong> <del>(which <a href="https://identityserver4.readthedocs.io/en/latest/" target="_blank" rel="nofollow noopener noreferrer">will only be supported unitl Nov 2022?</a>)</del> (wait, <a href="https://blog.duendesoftware.com/posts/20201210_community_edition/" target="_blank" rel="nofollow noopener noreferrer">maybe they’ll have a Community Edition</a> for companies with less that $1M revenue?) or <strong><a href="https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?view=aspnetcore-5.0&#x26;tabs=visual-studio" target="_blank" rel="nofollow noopener noreferrer">Microsoft.AspNetCore.Identity</a></strong> which seems to want to work more with MVC/Razor and SPAs (though I’m sure it could be hacked?).</p> <p>Seems like it shouldn’t be the end of the world to create a user table and store passwords with some sort of best practice. The first part of that would be how to hash the password. Unsurprisingly there seem to be a few opinions around the inter-webs. This is what I ended up with.</p> <div class="gatsby-highlight" data-language="csharp"><pre class="language-csharp"><code class="language-csharp"><span class="token keyword">public</span> <span class="token keyword">static</span> <span class="token keyword">class</span> <span class="token class-name">Pbkdf2PasswordHasher</span> <span class="token punctuation">{</span> <span class="token keyword">const</span> <span class="token class-name"><span class="token keyword">int</span></span> PasswordHashSize <span class="token operator">=</span> <span class="token number">512</span> <span class="token operator">/</span> <span class="token number">8</span><span class="token punctuation">;</span> <span class="token keyword">const</span> <span class="token class-name"><span class="token keyword">int</span></span> SaltSize <span class="token operator">=</span> <span class="token number">256</span> <span class="token operator">/</span> <span class="token number">8</span><span class="token punctuation">;</span> <span class="token keyword">static</span> <span class="token keyword">readonly</span> <span class="token class-name">HashAlgorithmName</span> HashAlgorithm <span class="token operator">=</span> HashAlgorithmName<span class="token punctuation">.</span>SHA512<span class="token punctuation">;</span> <span class="token keyword">public</span> <span class="token keyword">static</span> <span class="token return-type class-name"><span class="token keyword">string</span></span> <span class="token function">Generate</span><span class="token punctuation">(</span> <span class="token class-name"><span class="token keyword">string</span></span> password<span class="token punctuation">,</span> <span class="token class-name"><span class="token keyword">int</span></span> iterations <span class="token operator">=</span> <span class="token number">175_000</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment">//generate a random salt for hashing</span> <span class="token class-name"><span class="token keyword">var</span></span> salt <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name"><span class="token keyword">byte</span></span><span class="token punctuation">[</span>SaltSize<span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">RNGCryptoServiceProvider</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">.</span><span class="token function">GetBytes</span><span class="token punctuation">(</span>salt<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">//hash password given salt and iterations</span> <span class="token comment">//iterations provide difficulty when cracking</span> <span class="token class-name"><span class="token keyword">var</span></span> pbkdf2 <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">Rfc2898DeriveBytes</span><span class="token punctuation">(</span> password<span class="token punctuation">,</span> salt<span class="token punctuation">,</span> iterations<span class="token punctuation">,</span> HashAlgorithm<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> hash <span class="token operator">=</span> pbkdf2<span class="token punctuation">.</span><span class="token function">GetBytes</span><span class="token punctuation">(</span>PasswordHashSize<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">//return delimited string with salt | #iterations | hash</span> <span class="token keyword">return</span> Convert<span class="token punctuation">.</span><span class="token function">ToBase64String</span><span class="token punctuation">(</span>salt<span class="token punctuation">)</span> <span class="token operator">+</span> <span class="token string">"|"</span> <span class="token operator">+</span> iterations <span class="token operator">+</span> <span class="token string">"|"</span> <span class="token operator">+</span> Convert<span class="token punctuation">.</span><span class="token function">ToBase64String</span><span class="token punctuation">(</span>hash<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token keyword">public</span> <span class="token keyword">static</span> <span class="token return-type class-name"><span class="token keyword">bool</span></span> <span class="token function">IsValid</span><span class="token punctuation">(</span><span class="token class-name"><span class="token keyword">string</span></span> password<span class="token punctuation">,</span> <span class="token class-name"><span class="token keyword">string</span></span> encodedHash<span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token comment">//extract original values from delimited hash text</span> <span class="token class-name"><span class="token keyword">var</span></span> parts <span class="token operator">=</span> encodedHash<span class="token punctuation">.</span><span class="token function">Split</span><span class="token punctuation">(</span><span class="token string character">'|'</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> salt <span class="token operator">=</span> Convert<span class="token punctuation">.</span><span class="token function">FromBase64String</span><span class="token punctuation">(</span>parts<span class="token punctuation">[</span><span class="token number">0</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> iterations <span class="token operator">=</span> <span class="token keyword">int</span><span class="token punctuation">.</span><span class="token function">Parse</span><span class="token punctuation">(</span>parts<span class="token punctuation">[</span><span class="token number">1</span><span class="token punctuation">]</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> hash <span class="token operator">=</span> parts<span class="token punctuation">[</span><span class="token number">2</span><span class="token punctuation">]</span><span class="token punctuation">;</span> <span class="token comment">//generate hash from test password </span> <span class="token comment">// and original salt and iterations</span> <span class="token class-name"><span class="token keyword">var</span></span> pbkdf2 <span class="token operator">=</span> <span class="token keyword">new</span> <span class="token constructor-invocation class-name">Rfc2898DeriveBytes</span><span class="token punctuation">(</span> password<span class="token punctuation">,</span> salt<span class="token punctuation">,</span> iterations<span class="token punctuation">,</span> HashAlgorithm<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> testHash <span class="token operator">=</span> pbkdf2<span class="token punctuation">.</span><span class="token function">GetBytes</span><span class="token punctuation">(</span>PasswordHashSize<span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token comment">//if hash values match then return success</span> <span class="token keyword">if</span> <span class="token punctuation">(</span>Convert<span class="token punctuation">.</span><span class="token function">ToBase64String</span><span class="token punctuation">(</span>testHash<span class="token punctuation">)</span> <span class="token operator">==</span> hash<span class="token punctuation">)</span> <span class="token keyword">return</span> <span class="token boolean">true</span><span class="token punctuation">;</span> <span class="token comment">//no match return false</span> <span class="token keyword">return</span> <span class="token boolean">false</span><span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span></code></pre></div> <h3>Notes</h3> <ul> <li> <p><code class="language-text">interationCount</code> was used by running a perf test on my local machine to find hashing that took ~100ms</p> <div class="gatsby-highlight" data-language="cs"><pre class="language-cs"><code class="language-cs"><span class="token punctuation">[</span><span class="token attribute"><span class="token class-name">Fact</span><span class="token attribute-arguments"><span class="token punctuation">(</span>Skip <span class="token operator">=</span> <span class="token string">"not really a unit test, should probably move to some other mechanism."</span><span class="token punctuation">)</span></span></span><span class="token punctuation">]</span> <span class="token keyword">public</span> <span class="token return-type class-name"><span class="token keyword">void</span></span> <span class="token function">Perf</span><span class="token punctuation">(</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token keyword">const</span> <span class="token class-name"><span class="token keyword">int</span></span> maxRuntimeMs <span class="token operator">=</span> <span class="token number">200</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> iterations <span class="token operator">=</span> <span class="token number">10_000</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> lastRuntime <span class="token operator">=</span> <span class="token number">0L</span><span class="token punctuation">;</span> <span class="token keyword">while</span> <span class="token punctuation">(</span>lastRuntime <span class="token operator">&lt;</span> maxRuntimeMs<span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token class-name"><span class="token keyword">var</span></span> timer <span class="token operator">=</span> Stopwatch<span class="token punctuation">.</span><span class="token function">StartNew</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> hashResult <span class="token operator">=</span> Pbkdf2PasswordHasher<span class="token punctuation">.</span><span class="token function">Generate</span><span class="token punctuation">(</span> PasswordPlainTextDefault<span class="token punctuation">,</span> iterations<span class="token punctuation">)</span><span class="token punctuation">;</span> timer<span class="token punctuation">.</span><span class="token function">Stop</span><span class="token punctuation">(</span><span class="token punctuation">)</span><span class="token punctuation">;</span> <span class="token class-name"><span class="token keyword">var</span></span> runTime <span class="token operator">=</span> timer<span class="token punctuation">.</span>ElapsedMilliseconds<span class="token punctuation">;</span> _testOutputHelper<span class="token punctuation">.</span><span class="token function">WriteLine</span><span class="token punctuation">(</span><span class="token interpolation-string"><span class="token string">$"hash with iterations: </span><span class="token interpolation"><span class="token punctuation">{</span><span class="token expression language-csharp">iterations</span><span class="token punctuation">}</span></span><span class="token string">, ms: </span><span class="token interpolation"><span class="token punctuation">{</span><span class="token expression language-csharp">runTime</span><span class="token punctuation">}</span></span><span class="token string">, result: </span><span class="token interpolation"><span class="token punctuation">{</span><span class="token expression language-csharp">hashResult</span><span class="token punctuation">}</span></span><span class="token string">"</span></span><span class="token punctuation">)</span><span class="token punctuation">;</span> lastRuntime <span class="token operator">=</span> runTime<span class="token punctuation">;</span> iterations <span class="token operator">+=</span> <span class="token number">5000</span><span class="token punctuation">;</span> <span class="token punctuation">}</span> <span class="token punctuation">}</span></code></pre></div> </li> <li>I used <code class="language-text">HashAlgorithmName.SHA512</code> instead of <code class="language-text">SHA256</code> because larger is better?</li> </ul> <h3>bcrypt</h3> <p>There is a <code class="language-text">dotnet</code> <code class="language-text">bcrypt</code> implementation which seems to more widely respected on the internet (as it is slower to calculate, and slower is better?). But <code class="language-text">PBKDF2</code> still seems to be “officially” recommended, and it’s built into <code class="language-text">dotnet</code> which seemed a little safer than OSS.</p> <h3>Resources:</h3> <ul> <li><a href="https://www.cidean.com/blog/2019/password-hashing-using-rfc2898derivebytes/" target="_blank" rel="nofollow noopener noreferrer">C# pdfh source</a></li> <li><a href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2" target="_blank" rel="nofollow noopener noreferrer">PBKDF2 Recommendation by NIST</a></li> <li><a href="https://security.stackexchange.com/questions/3959/recommended-of-iterations-when-using-pkbdf2-sha256" target="_blank" rel="nofollow noopener noreferrer">PBKDF2 Iterations Recommendation</a></li> <li><a href="https://github.com/aspnet/Identity/blob/master/src/Core/PasswordHasher.cs" target="_blank" rel="nofollow noopener noreferrer">Microsoft.AspNetCore.Identity.PasswordHasher</a></li> </ul>https://blog.dfaiv.devfoo/barhttps://blog.dfaiv.devfoo/barFri, 20 Nov 2020 00:00:00 GMT<p>When I Googled for this, I got a bunch of results that just explain the <code class="language-text">async</code> pipe; but I wanted to know if I could use an async variable into the pipe:</p> <div class="gatsby-highlight" data-language="html"><pre class="language-html"><code class="language-html"><span class="token tag"><span class="token tag"><span class="token punctuation">&lt;</span>div</span><span class="token punctuation">></span></span>Currency {{ 100 | currency:(currencySymbol$ | async)}}<span class="token tag"><span class="token tag"><span class="token punctuation">&lt;/</span>div</span><span class="token punctuation">></span></span></code></pre></div> <p>Looks like you can. See this <a href="https://stackblitz.com/edit/pipe-variable-async?file=src/app/app.component.html" target="_blank" rel="nofollow noopener noreferrer">Stack Blitz</a></p>https://blog.dfaiv.devfoo/barhttps://blog.dfaiv.devfoo/barMon, 23 Jul 2018 00:00:00 GMT<p>I have a Powershell deploy script that runs multiple background tasks in parallel using a <a href="https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_script_blocks?view=powershell-7.1" target="_blank" rel="nofollow noopener noreferrer">script block</a>. The block was using <code class="language-text">Write-Host</code> but I wasn’t getting any output. Turns out I needed to use <code class="language-text">Receive-Job</code> to capture any output.</p> <div class="gatsby-highlight" data-language="powershell"><pre class="language-powershell"><code class="language-powershell"><span class="token comment"># helper to log results</span> <span class="token keyword">function</span> _handleJobResults <span class="token punctuation">{</span> <span class="token function">Write-Host</span> <span class="token string">"listing all jobs"</span> <span class="token function">Get-Job</span> <span class="token function">Write-Host</span> <span class="token string">"resetting jobs"</span> <span class="token function">Get-Job</span> <span class="token punctuation">|</span> <span class="token function">Remove-Job</span> <span class="token punctuation">}</span> <span class="token keyword">function</span> _waitForJobs <span class="token punctuation">{</span> <span class="token comment"># should really check that jobs have finished, maybe in another post.</span> <span class="token function">Write-Host</span> <span class="token string">"waiting for jobs to finish"</span> <span class="token function">Start-Sleep</span> <span class="token operator">-</span>Seconds 2 <span class="token punctuation">}</span> <span class="token variable">$jobCount</span> = 3 <span class="token comment"># function block to be invoked in background job.</span> <span class="token variable">$_deployBlock01</span> = <span class="token punctuation">{</span> <span class="token keyword">param</span><span class="token punctuation">(</span><span class="token variable">$_i</span><span class="token punctuation">)</span> <span class="token function">Write-Host</span> <span class="token string">"script block output: <span class="token variable">$_i</span>"</span> <span class="token punctuation">}</span> <span class="token comment"># invoke background jobs</span> <span class="token comment"># no Write-Host output from $_deployBlock01</span> <span class="token keyword">foreach</span> <span class="token punctuation">(</span><span class="token variable">$i</span> in 1<span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token variable">$jobCount</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token function">Start-Job</span> <span class="token operator">-</span>ScriptBlock <span class="token variable">$_deployBlock01</span> <span class="token operator">-</span>Name <span class="token string">"test-job-<span class="token variable">$i</span>"</span> <span class="token operator">-</span>ArgumentList <span class="token variable">$i</span> <span class="token punctuation">}</span> _waitForJobs _handleJobResults <span class="token function">Write-Host</span> <span class="token string">"no output from script block should have been logged."</span> <span class="token function">Write-Host</span> <span class="token string">"re-run jobs, capture output"</span> <span class="token comment"># invoke background jobs, capture outputs</span> <span class="token keyword">foreach</span> <span class="token punctuation">(</span><span class="token variable">$i</span> in 1<span class="token punctuation">.</span><span class="token punctuation">.</span><span class="token variable">$jobCount</span><span class="token punctuation">)</span> <span class="token punctuation">{</span> <span class="token function">Start-Job</span> <span class="token operator">-</span>ScriptBlock <span class="token variable">$_deployBlock01</span> <span class="token operator">-</span>Name <span class="token string">"test-job-<span class="token variable">$i</span>"</span> <span class="token operator">-</span>ArgumentList <span class="token variable">$i</span> <span class="token punctuation">}</span> _waitForJobs <span class="token function">Write-Host</span> <span class="token string">"Get Job output"</span> <span class="token comment">#Recieve-Job will get the Write-Host output.</span> <span class="token function">Get-Job</span> <span class="token punctuation">|</span> <span class="token function">Receive-Job</span> _handleJobResults</code></pre></div>https://blog.dfaiv.devfoo/barhttps://blog.dfaiv.devfoo/barSat, 17 Mar 2018 00:00:00 GMT<p>On my computer, my default git user is for my work account. I was working on a personal project, pushed it to GitHub, and didn’t realize until after that I had been commiting with my work username/email. Some Googling <a href="https://stackoverflow.com/questions/750172/how-to-change-the-author-and-committer-name-and-e-mail-of-multiple-commits-in-gi" target="_blank" rel="nofollow noopener noreferrer">turned up</a> that you can rewrite history from one email/username to another:</p> <div class="gatsby-highlight" data-language="bash"><pre class="language-bash"><code class="language-bash"><span class="token function">git</span> filter-branch --env-filter <span class="token string">' OLD_EMAIL="your-old-email@example.com" CORRECT_NAME="Your Correct Name" CORRECT_EMAIL="your-correct-email@example.com" if [ "<span class="token variable">$GIT_COMMITTER_EMAIL</span>" = "<span class="token variable">$OLD_EMAIL</span>" ] then export GIT_COMMITTER_NAME="<span class="token variable">$CORRECT_NAME</span>" export GIT_COMMITTER_EMAIL="<span class="token variable">$CORRECT_EMAIL</span>" fi if [ "<span class="token variable">$GIT_AUTHOR_EMAIL</span>" = "<span class="token variable">$OLD_EMAIL</span>" ] then export GIT_AUTHOR_NAME="<span class="token variable">$CORRECT_NAME</span>" export GIT_AUTHOR_EMAIL="<span class="token variable">$CORRECT_EMAIL</span>" fi '</span> --tag-name-filter <span class="token function">cat</span> -- --branches --tags</code></pre></div> <p>I got a nasty warning, but after a few seconds it proceeded with the rewrite and the world didn’t seem to end. I guess I could have tried the <a href="https://github.com/newren/git-filter-repo/" target="_blank" rel="nofollow noopener noreferrer">suggested alternative</a>, but I only had a few commits and the rewrite seemed mostly innocuous.</p> <div class="gatsby-highlight" data-language="text"><pre class="language-text"><code class="language-text">WARNING: git-filter-branch has a glut of gotchas generating mangled history rewrites. Hit Ctrl-C before proceeding to abort, then use an alternative filtering tool such as &#39;git filter-repo&#39; (https://github.com/newren/git-filter-repo/) instead. See the filter-branch manual page for more details; to squelch this warning, set FILTER_BRANCH_SQUELCH_WARNING=1.</code></pre></div> <p>A <code class="language-text">git push --force</code> and my repo commits were updated with my personal email.</p>https://blog.dfaiv.devfoo/barhttps://blog.dfaiv.devfoo/barTue, 02 Jan 2018 00:00:00 GMT<p>I wanted to use <code class="language-text">tmux</code> and still be able to highlight text with my mouse and have it copied to the system clipboard. <code class="language-text">tmux</code> captures mouse commands though, so the copy/paste wasn’t making it out.</p> <p>Turns out, using the default <code class="language-text">WSL Bash on Windows</code> shell, you just hold the <code class="language-text">shift key</code> along with your mouse actions.</p> <p>There are some more complex options out there, but this was all I needed.</p> <p>Details: <a href="https://github.com/Microsoft/WSL/issues/1586#issuecomment-272235493" target="_blank" rel="nofollow noopener noreferrer">https://github.com/Microsoft/WSL/issues/1586#issuecomment-272235493</a></p>