Updated Security

jioo · jioo · commit 8873d5549dc3 · 2018-09-12T13:51:46.000+08:00
-- WEB API -- -Added Csrf validation on unauthorized endpoints -Added XsrfTokenController -- WEB CLIENT -- -Added Xsrf service -Updated all @click with .prevent extension -Updated logout redirect url -Set up xsrf service in api-service
diff --git a/WebApi/Controllers/AccountsController.cs b/WebApi/Controllers/AccountsController.cs
@@ -16,7 +16,7 @@
 namespace WebApi.Controllers
 {
     [Authorize(Roles = "Admin")]
-    [Route("api/[controller]")]
+    [Route("api/[controller]"), ApiController]
     public class AccountsController : ControllerBase
     {
         private readonly UserManager<User> _manager;
@@ -35,7 +35,7 @@ public AccountsController(
 
         // POST: api/accounts/register
         [HttpPost("register")]
-        public async Task<IActionResult> Register([FromBody]RegisterViewModel model)
+        public async Task<IActionResult> Register(RegisterViewModel model)
         {
             var isCardExist = await _service.isCardExist(Guid.Empty, model.CardNo);
             if (isCardExist)
@@ -64,7 +64,8 @@ public async Task<IActionResult> Register([FromBody]RegisterViewModel model)
                 Identity = user,
                 FullName = model.FullName,
                 CardNo = model.CardNo,
-                Position = model.Position
+                Position = model.Position,
+                Status = Status.Active
             });
             return new OkObjectResult(syncResult);
         }
diff --git a/WebApi/Controllers/AuthController.cs b/WebApi/Controllers/AuthController.cs
@@ -12,7 +12,7 @@
 
 namespace WebApi.Controllers
 {
-    [Route("api/[controller]")]
+    [Route("api/[controller]"), ApiController]
     public class AuthController : ControllerBase
     {
         private readonly UserManager<User> _userManager;
@@ -37,7 +37,8 @@ public AuthController(
 
         // POST api/auth/login
         [HttpPost("login")]
-        public async Task<IActionResult> Login([FromBody]LoginViewModel model)
+        [ValidateAntiForgeryToken]
+        public async Task<IActionResult> Login(LoginViewModel model)
         {
             // Check if password is correct
             var user = await _userManager.FindByNameAsync(model.UserName);
@@ -59,24 +60,24 @@ public async Task<IActionResult> Login([FromBody]LoginViewModel model)
         }
 
         // POST api/auth/check
-        [HttpGet("check")]
         [Authorize]
+        [HttpGet("check")]
         public IActionResult Check()
         {
             return Ok();
         }
 
         // POST api/auth/is-admin
-        [HttpGet("is-admin")]
         [Authorize(Roles = "Admin")]
+        [HttpGet("is-admin")]
         public IActionResult IsAdmin()
         {
             return Ok();
         }
 
         // POST api/auth/is-employee
-        [HttpGet("is-employee")]
         [Authorize(Roles = "Employee")]
+        [HttpGet("is-employee")]
         public IActionResult IsEmployee()
         {
             return Ok();
diff --git a/WebApi/Controllers/ConfigController.cs b/WebApi/Controllers/ConfigController.cs
@@ -16,8 +16,7 @@
 namespace WebApi.Controllers
 {
     [Authorize(Roles = "Admin")]
-    [Route("api/[controller]")]
-    [ApiController]
+    [Route("api/[controller]"), ApiController]
     public class ConfigController : ControllerBase
     {
         private readonly IConfigService _service;
diff --git a/WebApi/Controllers/EmployeeController.cs b/WebApi/Controllers/EmployeeController.cs
@@ -16,8 +16,7 @@
 namespace WebApi.Controllers
 {
     [Authorize(Roles = "Admin")]
-    [Route("api/[controller]")]
-    [ApiController]
+    [Route("api/[controller]"), ApiController]
     public class EmployeeController : ControllerBase
     {
         private readonly IEmployeeService _service;
@@ -46,6 +45,7 @@ public async Task<IActionResult> Find(Guid id)
         
         // PUT api/employee
         [HttpPut]
+        [AllowAnonymous]
         public async Task<IActionResult> Update(EmployeeViewModel model)
         {
             // Check if Card No already exist
diff --git a/WebApi/Controllers/LogController.cs b/WebApi/Controllers/LogController.cs
@@ -18,8 +18,7 @@
 namespace WebApi.Controllers
 {
     [Authorize]
-    [Route("api/[controller]")]
-    [ApiController]
+    [Route("api/[controller]"), ApiController]
     public class LogController : ControllerBase
     {
         private JsonSerializerSettings settings = new JsonSerializerSettings { Formatting = Formatting.Indented, ReferenceLoopHandling = ReferenceLoopHandling.Ignore };
@@ -40,9 +39,10 @@ public async Task<IActionResult> Index()
         }
 
         // POST api/log
-        [HttpPost]
         [AllowAnonymous]
-        public async Task<IActionResult> Log([FromBody] LogInOutViewModel model)
+        [ValidateAntiForgeryToken]
+        [HttpPost]
+        public async Task<IActionResult> Log(LogInOutViewModel model)
         {
             // Validate card no. & password
             var user = await _service.ValidateTimeInOutCredentials(model);
@@ -54,9 +54,9 @@ public async Task<IActionResult> Log([FromBody] LogInOutViewModel model)
         }
 
         // PUT api/log
-        [HttpPut]
         [Authorize(Roles = "Admin")]
-        public async Task<IActionResult> Update([FromBody]LogEditViewModel model)
+        [HttpPut]
+        public async Task<IActionResult> Update(LogEditViewModel model)
         {
             return new OkObjectResult(await _service.UpdateAsync(model));
         }
diff --git a/WebApi/Controllers/XsrfTokenController.cs b/WebApi/Controllers/XsrfTokenController.cs
@@ -0,0 +1,27 @@
+using Microsoft.AspNetCore.Antiforgery;
+using Microsoft.AspNetCore.Mvc;
+
+namespace WebApi.Controllers
+{
+    [Route("api/[controller]"), ApiController]
+    public class XsrfTokenController : ControllerBase
+    {
+        private readonly IAntiforgery _antiforgery;
+ 
+        public XsrfTokenController(IAntiforgery antiforgery)
+        {
+            _antiforgery = antiforgery;
+        }
+
+        [HttpGet]
+        public IActionResult Get()
+        {
+            var tokens = _antiforgery.GetAndStoreTokens(HttpContext);
+    
+            return new ObjectResult(new {
+                token = tokens.RequestToken,
+                tokenName = tokens.HeaderName
+            });
+        }
+    }
+}
diff --git a/WebApi/Services/LogService.cs b/WebApi/Services/LogService.cs
@@ -42,7 +42,6 @@ public async Task<IList<LogViewModel>> GetAllAsync()
                 return await _repoLog.Context.Query()
                     .Where(m => m.Deleted == null)
                     .OrderByDescending(m => m.Created)
-                    .Include(m => m.Employee)
                     .Select(m => new LogViewModel
                     {
                         Id = m.Id,
@@ -71,7 +70,6 @@ public async Task<LogViewModel> FindAsync(Guid id)
             {
                 return await _repoLog.Context.Query()
                     .Where(m => m.Id == id)
-                    .Include(m => m.Employee)
                     .Select(m => new LogViewModel
                     {
                         Id = m.Id,
diff --git a/WebApi/Startup.cs b/WebApi/Startup.cs
@@ -29,6 +29,7 @@
 using WebApi.Repositories;
 using WebApi.Helpers;
 using Hubs.BroadcastHub;
+using Microsoft.AspNetCore.Antiforgery;
 
 namespace WebApi
 {
@@ -106,28 +107,29 @@ public void ConfigureServices(IServiceCollection services)
             });
 
             // Add Identity
-            var builder = services.AddIdentityCore<User>(o =>
+            services.AddIdentityCore<User>(o =>
             {
-                // configure identity options
+                // Configure identity options
                 o.Password.RequireDigit = false;
                 o.Password.RequireLowercase = false;
                 o.Password.RequireUppercase = false;
                 o.Password.RequireNonAlphanumeric = false;
                 o.Password.RequiredLength = 6;
-            }).AddRoles<IdentityRole>();
-            builder = new IdentityBuilder(builder.UserType, typeof(IdentityRole), builder.Services);
-            builder.AddEntityFrameworkStores<ApplicationDbContext>().AddDefaultTokenProviders();
+            })
+            .AddRoles<IdentityRole>()
+            .AddEntityFrameworkStores<ApplicationDbContext>()
+            .AddDefaultTokenProviders();
 
             services.AddAutoMapper();
-            services.AddMvc(options => 
-                {
-                    // Add automatic model validation
-                    options.Filters.Add(typeof(ValidateModelStateAttribute));
-                    // options.Filters.Add(new AutoValidateAntiforgeryTokenAttribute());
-                })
-                .SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
+            services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);
             
-            // services.AddAntiforgery(options => options.HeaderName = "X-XSRF-TOKEN");
+            // X-CSRF-Token
+            services.AddAntiforgery(options=> 
+            {
+                options.HeaderName = "X-XSRF-Token";
+                options.SuppressXFrameOptionsHeader = false;
+            });
+
             services.AddCors();
             services.AddSignalR();
 
@@ -192,6 +194,7 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env, IService
                     });
             });
 
+            // Enable CORS
             app.UseCors(builder =>
                  builder.AllowAnyOrigin()
                         .AllowAnyHeader()
@@ -201,25 +204,32 @@ public void Configure(IApplicationBuilder app, IHostingEnvironment env, IService
             
             app.UseAuthentication();
             app.UseMvc();
+
             app.Use(async (context, next) => 
             { 
-                await next(); 
+                await next();
+
                 if (context.Response.StatusCode == 404 && !Path.HasExtension(context.Request.Path.Value)) 
                 { 
                     context.Request.Path = "/index.html"; 
                     await next(); 
                 } 
             }); 
 
+            // Single Page Application set up
             app.UseDefaultFiles(); 
             app.UseStaticFiles();
 
+            // Set up SignalR Hubs
             app.UseSignalR(routes =>
             {
                 routes.MapHub<BroadcastHub>("/broadcast");
             });
 
+            // Identity user seed
             CreateUsersAndRoles(services).Wait();
+
+            // Default Attendance Configuration
             AttendanceConfiguration(services).Wait();
         }
 
diff --git a/WebClient/index.html b/WebClient/index.html
@@ -3,7 +3,7 @@
   <head>
     <meta charset="utf-8">
     <meta name="viewport" content="width=device-width,initial-scale=1.0">
-    <title>BDF Attendance System</title>
+    <title>Attendance System</title>
   </head>
   <body>
     <div id="app"></div>
diff --git a/WebClient/src/components/change-password.vue b/WebClient/src/components/change-password.vue
@@ -14,7 +14,7 @@
         </v-card-text>
         <v-card-actions>
             <v-spacer></v-spacer>
-            <v-btn color="orange" :loading="isLoading" @click="changePassword" >Update</v-btn>
+            <v-btn color="orange" :loading="isLoading" @click.prevent="changePassword" >Update</v-btn>
         </v-card-actions>
     </v-card>
 </template>
diff --git a/WebClient/src/components/employee-create.vue b/WebClient/src/components/employee-create.vue
@@ -32,7 +32,7 @@
             <v-card-actions>
                 <v-spacer></v-spacer>
                 <v-btn color="error" :loading="isLoading" @click.native="dialog = false">Cancel</v-btn>
-                <v-btn color="success" :loading="isLoading" @click="create">Save</v-btn>
+                <v-btn color="success" :loading="isLoading" @click.prevent="create">Save</v-btn>
             </v-card-actions>
         </v-card>
     </v-dialog>
diff --git a/WebClient/src/components/employee-edit.vue b/WebClient/src/components/employee-edit.vue
@@ -25,7 +25,7 @@
             <v-card-actions>
                 <v-spacer></v-spacer>
                 <v-btn color="error" :loading="isLoading" @click.native="dialog = false">Cancel</v-btn>
-                <v-btn color="success" :loading="isLoading" @click="edit">Update</v-btn>
+                <v-btn color="success" :loading="isLoading" @click.prevent="edit">Update</v-btn>
             </v-card-actions>
         </v-card>
     </v-dialog>
diff --git a/WebClient/src/components/employee-list.vue b/WebClient/src/components/employee-list.vue
@@ -14,7 +14,7 @@
                 <td>{{ props.item.position }}</td>
                 <td>{{ props.item.cardNo }}</td>
                 <td>
-                    <v-btn icon class="mx-0" @click="openDialog(props.item.id)">
+                    <v-btn icon class="mx-0" @click.prevent="openDialog(props.item.id)">
                         <v-icon color="teal">edit</v-icon>
                     </v-btn>
                 </td>
diff --git a/WebClient/src/components/log-edit.vue b/WebClient/src/components/log-edit.vue
@@ -81,7 +81,7 @@
             <v-card-actions>
                 <v-spacer></v-spacer>
                 <v-btn color="error" :loading="isLoading" @click.native="dialog = false">Cancel</v-btn>
-                <v-btn color="success" :loading="isLoading" @click="edit">Update</v-btn>
+                <v-btn color="success" :loading="isLoading" @click.prevent="edit">Update</v-btn>
             </v-card-actions>
         </v-card>
     </v-dialog>
diff --git a/WebClient/src/components/log-employee-form.vue b/WebClient/src/components/log-employee-form.vue
@@ -11,12 +11,12 @@
             v-model="form.cardno" required :rules="[required]" v-on:keyup.enter="$refs.password.focus()"></v-text-field>
             
             <v-text-field prepend-icon="lock" label="Password" type="password" color="orange" ref="password"
-            v-model="form.password" required :rules="[required]" v-on:keyup.enter="logEmp()"></v-text-field>
+            v-model="form.password" required :rules="[required]" v-on:keyup.enter.prevent="logEmp()"></v-text-field>
         </v-form>
         </v-card-text>
         <v-card-actions>    
             <v-spacer></v-spacer>   
-            <v-btn color="orange" :loading="isLoading" @click="logEmp">Login</v-btn>
+            <v-btn color="orange" :loading="isLoading" @click.prevent="logEmp">Login</v-btn>
         </v-card-actions>
     </v-card>
 </template>
@@ -49,11 +49,11 @@ export default {
                 this.$store.dispatch(LOG_EMPLOYEE, JSON.stringify(this.form)).then((res) => {
                     this.resetForm()
                     this.$refs.cardNo.focus()
-                    const notifDuration = 4000
+                    const notifDuration = 8000
                     if (res.timeOut === '' ) {
-                        this.$notify({ type: 'success', text: 'Welcome '+ res.fullName+ '!<br /> Time in: ' + res.timeIn, duration: notifDuration })
+                        this.$notify({ type: 'success', text: `Welcome ${res.fullName}!<br/> Time in: ${res.timeIn}`, duration: notifDuration })
                     } else {
-                        this.$notify({ type: 'success', text: 'Time out: ' + res.timeIn, duration: notifDuration })
+                        this.$notify({ type: 'warning', text: `Goodbye ${res.fullName}!<br/> Time out: ${res.timeIn}`, duration: notifDuration })
                     }
                 })
             }
diff --git a/WebClient/src/components/log-list.vue b/WebClient/src/components/log-list.vue
@@ -81,7 +81,7 @@ export default {
 
             if(this.isRole('Employee')) {
                 const userId = this.currentUser.user.empId
-                this.items = this.logs.filter(m => m.EmployeeId == userId)
+                this.items = this.logs.filter(m => m.employeeId === userId)
                 this.headers = [
                     { text: "Time In", value: "timeIn" },
                     { text: "Time Out", value: "timeOut" }
diff --git a/WebClient/src/components/login-form.vue b/WebClient/src/components/login-form.vue
@@ -10,12 +10,12 @@
             v-model="form.username" required :rules="[required]"></v-text-field>
             
             <v-text-field prepend-icon="lock" label="Password" type="password" color="orange"
-            v-model="form.password" required :rules="[required]"></v-text-field>
+            v-model="form.password" required :rules="[required]" v-on:keyup.enter.prevent="loginUser()"></v-text-field>
         </v-form>
         </v-card-text>
         <v-card-actions>
             <v-spacer></v-spacer>
-            <v-btn color="orange" @click="loginUser">Login</v-btn>
+            <v-btn color="orange" :loading="isLoading" @click.prevent="loginUser">Login</v-btn>
         </v-card-actions>
     </v-card>
 </template>
@@ -37,7 +37,7 @@ export default {
     },
 
     computed: {
-        ...mapGetters(["currentUser"])
+        ...mapGetters(["currentUser", "isLoading"])
     },
 
     methods: {
diff --git a/WebClient/src/components/nav-bar.vue b/WebClient/src/components/nav-bar.vue
diff --git a/WebClient/src/router/index.js b/WebClient/src/router/index.js
diff --git a/WebClient/src/services/api-service.js b/WebClient/src/services/api-service.js
diff --git a/WebClient/src/services/xsrf-service.js b/WebClient/src/services/xsrf-service.js

Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@`
`12`	`12`
`13`	`13`	`namespace WebApi.Controllers`
`14`	`14`	`{`
`15`		`- [Route("api/[controller]")]`
	`15`	`+ [Route("api/[controller]"), ApiController]`
`16`	`16`	`public class AuthController : ControllerBase`
`17`	`17`	`{`
`18`	`18`	`private readonly UserManager<User> _userManager;`
`@@ -37,7 +37,8 @@ public AuthController(`
`37`	`37`
`38`	`38`	`// POST api/auth/login`
`39`	`39`	`[HttpPost("login")]`
`40`		`- public async Task<IActionResult> Login([FromBody]LoginViewModel model)`
	`40`	`+ [ValidateAntiForgeryToken]`
	`41`	`+ public async Task<IActionResult> Login(LoginViewModel model)`
`41`	`42`	`{`
`42`	`43`	`// Check if password is correct`
`43`	`44`	`var user = await _userManager.FindByNameAsync(model.UserName);`
`@@ -59,24 +60,24 @@ public async Task<IActionResult> Login([FromBody]LoginViewModel model)`
`59`	`60`	`}`
`60`	`61`
`61`	`62`	`// POST api/auth/check`
`62`		`- [HttpGet("check")]`
`63`	`63`	`[Authorize]`
	`64`	`+ [HttpGet("check")]`
`64`	`65`	`public IActionResult Check()`
`65`	`66`	`{`
`66`	`67`	`return Ok();`
`67`	`68`	`}`
`68`	`69`
`69`	`70`	`// POST api/auth/is-admin`
`70`		`- [HttpGet("is-admin")]`
`71`	`71`	`[Authorize(Roles = "Admin")]`
	`72`	`+ [HttpGet("is-admin")]`
`72`	`73`	`public IActionResult IsAdmin()`
`73`	`74`	`{`
`74`	`75`	`return Ok();`
`75`	`76`	`}`
`76`	`77`
`77`	`78`	`// POST api/auth/is-employee`
`78`		`- [HttpGet("is-employee")]`
`79`	`79`	`[Authorize(Roles = "Employee")]`
	`80`	`+ [HttpGet("is-employee")]`
`80`	`81`	`public IActionResult IsEmployee()`
`81`	`82`	`{`
`82`	`83`	`return Ok();`
Original file line number	Diff line number	Diff line change
`@@ -16,8 +16,7 @@`
`16`	`16`	`namespace WebApi.Controllers`
`17`	`17`	`{`
`18`	`18`	`[Authorize(Roles = "Admin")]`
`19`		`- [Route("api/[controller]")]`
`20`		`- [ApiController]`
	`19`	`+ [Route("api/[controller]"), ApiController]`
`21`	`20`	`public class ConfigController : ControllerBase`
`22`	`21`	`{`
`23`	`22`	`private readonly IConfigService _service;`
Original file line number	Diff line number	Diff line change
`@@ -18,8 +18,7 @@`
`18`	`18`	`namespace WebApi.Controllers`
`19`	`19`	`{`
`20`	`20`	`[Authorize]`
`21`		`- [Route("api/[controller]")]`
`22`		`- [ApiController]`
	`21`	`+ [Route("api/[controller]"), ApiController]`
`23`	`22`	`public class LogController : ControllerBase`
`24`	`23`	`{`
`25`	`24`	`private JsonSerializerSettings settings = new JsonSerializerSettings { Formatting = Formatting.Indented, ReferenceLoopHandling = ReferenceLoopHandling.Ignore };`
`@@ -40,9 +39,10 @@ public async Task<IActionResult> Index()`
`40`	`39`	`}`
`41`	`40`
`42`	`41`	`// POST api/log`
`43`		`- [HttpPost]`
`44`	`42`	`[AllowAnonymous]`
`45`		`- public async Task<IActionResult> Log([FromBody] LogInOutViewModel model)`
	`43`	`+ [ValidateAntiForgeryToken]`
	`44`	`+ [HttpPost]`
	`45`	`+ public async Task<IActionResult> Log(LogInOutViewModel model)`
`46`	`46`	`{`
`47`	`47`	`// Validate card no. & password`
`48`	`48`	`var user = await _service.ValidateTimeInOutCredentials(model);`
`@@ -54,9 +54,9 @@ public async Task<IActionResult> Log([FromBody] LogInOutViewModel model)`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`// PUT api/log`
`57`		`- [HttpPut]`
`58`	`57`	`[Authorize(Roles = "Admin")]`
`59`		`- public async Task<IActionResult> Update([FromBody]LogEditViewModel model)`
	`58`	`+ [HttpPut]`
	`59`	`+ public async Task<IActionResult> Update(LogEditViewModel model)`
`60`	`60`	`{`
`61`	`61`	`return new OkObjectResult(await _service.UpdateAsync(model));`
`62`	`62`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,7 +42,6 @@ public async Task<IList<LogViewModel>> GetAllAsync()`
`42`	`42`	`return await _repoLog.Context.Query()`
`43`	`43`	`.Where(m => m.Deleted == null)`
`44`	`44`	`.OrderByDescending(m => m.Created)`
`45`		`- .Include(m => m.Employee)`
`46`	`45`	`.Select(m => new LogViewModel`
`47`	`46`	`{`
`48`	`47`	`Id = m.Id,`
`@@ -71,7 +70,6 @@ public async Task<LogViewModel> FindAsync(Guid id)`
`71`	`70`	`{`
`72`	`71`	`return await _repoLog.Context.Query()`
`73`	`72`	`.Where(m => m.Id == id)`
`74`		`- .Include(m => m.Employee)`
`75`	`73`	`.Select(m => new LogViewModel`
`76`	`74`	`{`
`77`	`75`	`Id = m.Id,`