Optimize for cases when --use-cookies RClone flag is not used.

nzbdav-dev · nzbdav-dev · commit f24b40fb8e76 · 2025-08-04T03:58:18.000-07:00
diff --git a/backend/Utils/PasswordUtil.cs b/backend/Utils/PasswordUtil.cs
@@ -1,9 +1,11 @@
 ﻿using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Caching.Memory;
 
 namespace NzbWebDAV.Utils;
 
 public static class PasswordUtil
 {
+    private static readonly MemoryCache Cache = new(new MemoryCacheOptions() { SizeLimit = 5 });
     private static readonly PasswordHasher<object> Hasher = new();
 
     public static string Hash(string password, string salt = "")
@@ -13,6 +15,19 @@ public static string Hash(string password, string salt = "")
 
     public static bool Verify(string hash, string password, string salt = "")
     {
-        return Hasher.VerifyHashedPassword(null!, hash, password + salt) == PasswordVerificationResult.Success;
+        // If users forget to add the "--use-cookies" argument to Rclone, then Rclone will not store
+        // session cookies, which means the Authorization header from HTTP Basic Auth will be sent and
+        // validated on every single request. This means the password from the Authorization header will
+        // get hashed on every single request in order to compare it against the hashed password in the
+        // database. Password hashing is intentionally designed to be super slow in order to slow down brute
+        // force attacks. Several hundred milliseconds would be added to every single webdav request
+        // when the "--use-cookies" Rclone argument is not used, if not for the memory cache added here.
+        return Cache.GetOrCreate(new CacheKey(hash, password, salt), cacheEntry =>
+        {
+            cacheEntry.Size = 1;
+            return Hasher.VerifyHashedPassword(null!, hash, password + salt);
+        }) == PasswordVerificationResult.Success;
     }
+
+    private record CacheKey(string Hash, string Password, string Salt);
 }
