From ccf2104d6ba5003a60b81b5eec92ca7219b2a5d7 Mon Sep 17 00:00:00 2001 From: Swapnamol Abraham Date: Fri, 28 Feb 2025 11:21:01 +0000 Subject: [PATCH 1/4] TD-3732: Missing Security Headers --- Auth/LearningHub.Nhs.Auth/Program.cs | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/Auth/LearningHub.Nhs.Auth/Program.cs b/Auth/LearningHub.Nhs.Auth/Program.cs index 04759f5..910cb0b 100644 --- a/Auth/LearningHub.Nhs.Auth/Program.cs +++ b/Auth/LearningHub.Nhs.Auth/Program.cs @@ -56,6 +56,20 @@ await next(); }); +app.Use(async (context, next) => +{ + // Add security headers + context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); + context.Response.Headers.Add("X-Content-Type-Options", "nosniff"); + context.Response.Headers.Add("X-XSS-Protection", "1; mode=block"); + context.Response.Headers.Add("X-Frame-Options", "DENY"); + context.Response.Headers.Add("Content-Security-Policy", "default-src 'self'; script-src 'self'; object-src 'none';"); + context.Response.Headers.Add("Referrer-Policy", "no-referrer-when-downgrade"); + context.Response.Headers.Add("Feature-Policy", "geolocation 'self'; microphone 'none'; camera 'none'"); + + await next(); +}); + if (app.Environment.IsDevelopment()) { app.UseDeveloperExceptionPage(); From 11526c1a09db81675acf8f0cceab1c3ed38c0235 Mon Sep 17 00:00:00 2001 From: Swapnamol Abraham Date: Wed, 5 Mar 2025 11:30:45 +0000 Subject: [PATCH 2/4] TD-3731: Password Change Does Not Invalidate Current Session --- .../Configuration/WebSettings.cs | 5 ++++ .../Controllers/AccountController.cs | 23 ++++++++++++------- .../Controllers/HomeController.cs | 21 +++++++++++++++++ Auth/LearningHub.Nhs.Auth/appsettings.json | 5 ++-- 4 files changed, 43 insertions(+), 11 deletions(-) diff --git a/Auth/LearningHub.Nhs.Auth/Configuration/WebSettings.cs b/Auth/LearningHub.Nhs.Auth/Configuration/WebSettings.cs index 54dab61..4b4113d 100644 --- a/Auth/LearningHub.Nhs.Auth/Configuration/WebSettings.cs +++ b/Auth/LearningHub.Nhs.Auth/Configuration/WebSettings.cs @@ -56,5 +56,10 @@ public class WebSettings /// Gets or sets the SupportFeedbackForm. /// public string SupportFeedbackForm { get; set; } + + /// + /// Gets or sets a value indicating whether IsPasswordUpdate. + /// + public bool IsPasswordUpdate { get; set; } } } diff --git a/Auth/LearningHub.Nhs.Auth/Controllers/AccountController.cs b/Auth/LearningHub.Nhs.Auth/Controllers/AccountController.cs index ff7b352..123fe1a 100644 --- a/Auth/LearningHub.Nhs.Auth/Controllers/AccountController.cs +++ b/Auth/LearningHub.Nhs.Auth/Controllers/AccountController.cs @@ -20,15 +20,11 @@ using LearningHub.Nhs.Auth.Models.Account; using LearningHub.Nhs.Caching; using LearningHub.Nhs.Models.Common; - using LearningHub.Nhs.Models.Entities.Reporting; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authorization; - using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Mvc; - using Microsoft.Extensions.Configuration; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Options; - using NHSUKViewComponents.Web.ViewModels; /// /// Account Controller operations. @@ -72,7 +68,7 @@ public AccountController( this.authConfig = authConfig?.Value; this.webSettings = webSettings; this.logger = logger; - } + } /// /// Shows the Login page. @@ -214,9 +210,9 @@ await this.UserService.AddLogonToUserHistory( this.ModelState.AddModelError(string.Empty, loginResult.ErrorMessage); } - showFormWithError: +showFormWithError: - // something went wrong, show form with error +// something went wrong, show form with error var vm = await this.BuildLoginViewModelAsync(model); if ((vm.ClientId == "learninghubwebclient") || (vm.ClientId == "learninghubadmin")) { @@ -268,6 +264,9 @@ public async Task Logout(LogoutInputModel model) // delete local authentication cookie await this.HttpContext.SignOutAsync(); + // Delete the authentication cookie to ensure it is invalidated + this.HttpContext.Response.Cookies.Delete(".AspNetCore.Identity.Application"); + // raise the logout event await this.Events.RaiseAsync(new UserLogoutSuccessEvent(this.User.GetSubjectId(), this.User.GetDisplayName())); @@ -296,7 +295,15 @@ public async Task Logout(LogoutInputModel model) return this.SignOut(new AuthenticationProperties { RedirectUri = url }, vm.ExternalAuthenticationScheme); } - return this.View("LoggedOut", vm); + if (this.webSettings.IsPasswordUpdate) + { + var redirectUri = $"{this.webSettings.LearningHubWebClient}Home/ChangePasswordAcknowledgement"; + return this.Redirect(redirectUri); + } + else + { + return this.View("LoggedOut", vm); + } } /// diff --git a/Auth/LearningHub.Nhs.Auth/Controllers/HomeController.cs b/Auth/LearningHub.Nhs.Auth/Controllers/HomeController.cs index 7855fea..aa0937f 100644 --- a/Auth/LearningHub.Nhs.Auth/Controllers/HomeController.cs +++ b/Auth/LearningHub.Nhs.Auth/Controllers/HomeController.cs @@ -80,6 +80,27 @@ public async Task Error() return this.View("Error"); } + /// + /// IsPasswordUpdateMethod. + /// + /// The Logout. + /// The . + [HttpGet] + public IActionResult SetIsPasswordUpdate(bool isLogout) + { + if (isLogout) + { + this.webSettings.IsPasswordUpdate = false; + } + else + { + this.webSettings.IsPasswordUpdate = true; + } + + var redirectUri = $"{this.webSettings.LearningHubWebClient}Home/UserLogout"; + return this.Redirect(redirectUri); + } + /// /// Shows the HealthCheck response. /// diff --git a/Auth/LearningHub.Nhs.Auth/appsettings.json b/Auth/LearningHub.Nhs.Auth/appsettings.json index f746802..c54a92d 100644 --- a/Auth/LearningHub.Nhs.Auth/appsettings.json +++ b/Auth/LearningHub.Nhs.Auth/appsettings.json @@ -39,9 +39,8 @@ "ElfhHub": "", "Rcr": "", "SupportForm": "https://support.learninghub.nhs.uk/support/tickets/new", - "SupportFeedbackForm": "https://forms.office.com/e/C8tteweEhG" - - + "SupportFeedbackForm": "https://forms.office.com/e/C8tteweEhG", + "IsPasswordUpdate": "false" }, "AllowOpenAthensDebug": false, "OaLhClients": { From f898a6f05f4088fae75b607427f46127361ac8aa Mon Sep 17 00:00:00 2001 From: Swapnamol Abraham Date: Wed, 5 Mar 2025 14:36:28 +0000 Subject: [PATCH 3/4] TD-3733:Information Disclosures --- Auth/LearningHub.Nhs.Auth/Program.cs | 14 -------------- LearningHub.Nhs.UserApi/Program.cs | 12 ++++++++++++ 2 files changed, 12 insertions(+), 14 deletions(-) diff --git a/Auth/LearningHub.Nhs.Auth/Program.cs b/Auth/LearningHub.Nhs.Auth/Program.cs index 910cb0b..04759f5 100644 --- a/Auth/LearningHub.Nhs.Auth/Program.cs +++ b/Auth/LearningHub.Nhs.Auth/Program.cs @@ -56,20 +56,6 @@ await next(); }); -app.Use(async (context, next) => -{ - // Add security headers - context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains; preload"); - context.Response.Headers.Add("X-Content-Type-Options", "nosniff"); - context.Response.Headers.Add("X-XSS-Protection", "1; mode=block"); - context.Response.Headers.Add("X-Frame-Options", "DENY"); - context.Response.Headers.Add("Content-Security-Policy", "default-src 'self'; script-src 'self'; object-src 'none';"); - context.Response.Headers.Add("Referrer-Policy", "no-referrer-when-downgrade"); - context.Response.Headers.Add("Feature-Policy", "geolocation 'self'; microphone 'none'; camera 'none'"); - - await next(); -}); - if (app.Environment.IsDevelopment()) { app.UseDeveloperExceptionPage(); diff --git a/LearningHub.Nhs.UserApi/Program.cs b/LearningHub.Nhs.UserApi/Program.cs index e89e70b..8a6e0aa 100644 --- a/LearningHub.Nhs.UserApi/Program.cs +++ b/LearningHub.Nhs.UserApi/Program.cs @@ -10,6 +10,7 @@ var logger = NLogBuilder.ConfigureNLog("nlog.config").GetCurrentClassLogger(); +var csp = "object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts allow-popups; base-uri 'self';"; try { logger.Debug("Log Started"); @@ -36,6 +37,17 @@ c.SwaggerEndpoint($"/swagger/{app.Configuration["Swagger:Title"]}/swagger.json", app.Configuration["Swagger:Version"]); }); + app.Use(async (context, next) => + { + context.Response.Headers.Add("content-security-policy", csp); + context.Response.Headers.Add("Referrer-Policy", "no-referrer"); + context.Response.Headers.Add("Strict-Transport-Security", "max-age=31536000; includeSubDomains"); + context.Response.Headers.Add("X-Content-Type-Options", "nosniff"); + context.Response.Headers.Add("X-Frame-Options", "SAMEORIGIN"); + context.Response.Headers.Add("X-XSS-protection", "0"); + await next(); + }); + app.UseMiddleware(); app.UseEndpoints(endpoints => endpoints.MapControllerRoute("default", "{controller=Home}/{action=Index}/{id?}")); From 0474fd75d21879446f2db0347c94a8f3b01baeae Mon Sep 17 00:00:00 2001 From: Swapnamol Abraham Date: Thu, 13 Mar 2025 14:26:09 +0000 Subject: [PATCH 4/4] TD-3743: Concurrent Sessions Allowed --- .../Helpers/InMemoryTicketStore.cs | 104 ++++++++++++++++++ .../ServiceCollectionExtension.cs | 10 +- 2 files changed, 113 insertions(+), 1 deletion(-) create mode 100644 Auth/LearningHub.Nhs.Auth/Helpers/InMemoryTicketStore.cs diff --git a/Auth/LearningHub.Nhs.Auth/Helpers/InMemoryTicketStore.cs b/Auth/LearningHub.Nhs.Auth/Helpers/InMemoryTicketStore.cs new file mode 100644 index 0000000..1bfa669 --- /dev/null +++ b/Auth/LearningHub.Nhs.Auth/Helpers/InMemoryTicketStore.cs @@ -0,0 +1,104 @@ +namespace LearningHub.Nhs.Auth.Helpers +{ + using System; + using System.Collections.Concurrent; + using System.Linq; + using System.Threading.Tasks; + using Microsoft.AspNetCore.Authentication; + using Microsoft.AspNetCore.Authentication.Cookies; + + /// + /// Defines the . + /// + public class InMemoryTicketStore : ITicketStore + { + private readonly ConcurrentDictionary cache; + + /// + /// Initializes a new instance of the class. + /// The InMemoryTicketStore. + /// + /// the cache. + public InMemoryTicketStore(ConcurrentDictionary cache) + { + this.cache = cache; + } + + /// + /// The StoreAsync. + /// + /// The ticket. + /// The key. + public async Task StoreAsync(AuthenticationTicket ticket) + { + var ticketUserId = ticket.Principal.Claims.Where(c => c.Type == "sub") + .FirstOrDefault() + .Value; + var matchingAuthTicket = this.cache.Values.FirstOrDefault( + t => t.Principal.Claims.FirstOrDefault( + c => c.Type == "sub" + && c.Value == ticketUserId) != null); + if (matchingAuthTicket != null) + { + var cacheKey = this.cache.Where( + entry => entry.Value == matchingAuthTicket) + .Select(entry => entry.Key) + .FirstOrDefault(); + this.cache.TryRemove( + cacheKey, + out _); + } + + var key = Guid + .NewGuid() + .ToString(); + await this.RenewAsync( + key, + ticket); + return key; + } + + /// + /// The RenewAsync. + /// + /// The key. + /// The ticket. + /// The Task. + public Task RenewAsync( + string key, + AuthenticationTicket ticket) + { + this.cache.AddOrUpdate( + key, + ticket, + (_, _) => ticket); + return Task.CompletedTask; + } + + /// + /// The RetrieveAsync. + /// + /// The Key. + /// The Task. + public Task RetrieveAsync(string key) + { + this.cache.TryGetValue( + key, + out var ticket); + return Task.FromResult(ticket); + } + + /// + /// The RemoveAsync. + /// + /// The key. + /// The Task. + public Task RemoveAsync(string key) + { + this.cache.TryRemove( + key, + out _); + return Task.CompletedTask; + } + } + } diff --git a/Auth/LearningHub.Nhs.Auth/ServiceCollectionExtension.cs b/Auth/LearningHub.Nhs.Auth/ServiceCollectionExtension.cs index 6aaf2f5..0a08288 100644 --- a/Auth/LearningHub.Nhs.Auth/ServiceCollectionExtension.cs +++ b/Auth/LearningHub.Nhs.Auth/ServiceCollectionExtension.cs @@ -1,10 +1,12 @@ namespace LearningHub.Nhs.Auth { using System; + using System.Collections.Concurrent; using System.Security.Cryptography.X509Certificates; using Azure.Identity; using IdentityServer4; using LearningHub.Nhs.Auth.Configuration; + using LearningHub.Nhs.Auth.Helpers; using LearningHub.Nhs.Auth.Middleware; using LearningHub.Nhs.Caching; using LearningHub.Nhs.Models.Enums; @@ -70,7 +72,13 @@ public static void ConfigureServices(this IServiceCollection services, IConfigur { options.DefaultAuthenticateScheme = CookieAuthenticationDefaults.AuthenticationScheme; options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme; - }).AddCookie().AddOpenIdConnect( + }) + .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => + { + options.AccessDeniedPath = "/Home/AccessDenied"; + options.SessionStore = new InMemoryTicketStore(new ConcurrentDictionary()); + }) + .AddOpenIdConnect( "oidc_oa", options => {