Update dependencies and improve authentication security#198
Merged
Conversation
- Bump NuGet package versions across all projects - Use constant-time comparison for API key and password checks - Refactor authentication result handling for clarity - Change claims parameters to IEnumerable<Claim> for flexibility - Improve issuer/audience validation logic in JwtBearerService - Remove explicit culture from Basic auth regex Closes #196
There was a problem hiding this comment.
Pull request overview
This PR updates NuGet dependencies and strengthens authentication flows by improving claim handling (avoiding fixed-size claim collection mutations) and introducing constant-time comparisons for configured API key/basic credentials.
Changes:
- Bumped OpenAPI/Swashbuckle and SimpleAuthenticationTools.Abstractions package versions across library and samples.
- Refactored API Key / Basic auth handlers to use
CryptographicOperations.FixedTimeEqualsand to acceptIEnumerable<Claim>(defensively materializing to a mutable list before updating claims). - Updated
JwtBearerServicetoken creation signature toIEnumerable<Claim>and adjusted issuer/audience validation toggles.
Reviewed changes
Copilot reviewed 14 out of 14 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| src/SimpleAuthentication/SimpleAuthentication.csproj | Bumps OpenAPI + SimpleAuthenticationTools.Abstractions package versions. |
| src/SimpleAuthentication/JwtBearer/JwtBearerService.cs | Changes claims parameter to IEnumerable<Claim>, materializes claims to list, and tweaks issuer/audience validation flags. |
| src/SimpleAuthentication/BasicAuthentication/BasicAuthenticationHandler.cs | Uses fixed-time comparisons for configured credentials; materializes claims to list before updating; removes regex culture. |
| src/SimpleAuthentication/ApiKey/ApiKeyAuthenticationHandler.cs | Uses fixed-time comparison for configured API keys; materializes claims to list before updating. |
| src/SimpleAuthentication.Swashbuckle/SimpleAuthentication.Swashbuckle.csproj | Bumps SimpleAuthenticationTools.Abstractions and Swashbuckle.SwaggerGen. |
| samples/MinimalApis/Net8JwtBearerSample/Net8JwtBearerSample.csproj | Bumps Swashbuckle.AspNetCore version. |
| samples/MinimalApis/JwtBearerSample/JwtBearerSample.csproj | Bumps OpenAPI + Swashbuckle.SwaggerUI versions. |
| samples/MinimalApis/BasicAuthenticationSample/BasicAuthenticationSample.csproj | Bumps OpenAPI + Swashbuckle.SwaggerUI versions. |
| samples/MinimalApis/ApiKeySample/Program.cs | Updates validator sample to return claims array to validate fixed-size-claims handling. |
| samples/MinimalApis/ApiKeySample/ApiKeySample.csproj | Bumps OpenAPI + Swashbuckle.SwaggerUI versions. |
| samples/Controllers/JwtBearerSample/JwtBearerSample.csproj | Bumps OpenAPI + Swashbuckle.SwaggerUI versions. |
| samples/Controllers/BasicAuthenticationSample/BasicAuthenticationSample.csproj | Bumps OpenAPI + Swashbuckle.SwaggerUI versions. |
| samples/Controllers/ApiKeySample/ApiKeySample.csproj | Bumps OpenAPI + Swashbuckle.SwaggerUI versions. |
| README.md | Normalizes “NuGet” capitalization in badge label. |
Assign value.ToString() to a variable before comparing API keys, improving readability and preventing multiple ToString() calls during fixed-time equality checks.
Comment on lines
+60
to
+61
| var credential = credentials.FirstOrDefault(c => CryptographicOperations.FixedTimeEquals(MemoryMarshal.AsBytes(c.UserName.AsSpan()), MemoryMarshal.AsBytes(userName.AsSpan())) | ||
| && CryptographicOperations.FixedTimeEquals(MemoryMarshal.AsBytes(c.Password.AsSpan()), MemoryMarshal.AsBytes(password.AsSpan()))); |
Comment on lines
+46
to
+53
| var providedApiKey = value.ToString(); | ||
| var apiKey = apiKeys.FirstOrDefault(a => CryptographicOperations.FixedTimeEquals(MemoryMarshal.AsBytes(a.Value.AsSpan()), MemoryMarshal.AsBytes(providedApiKey.AsSpan()))); | ||
|
|
||
| if (apiKey is null) | ||
| { | ||
|
|
||
| return AuthenticateResult.Fail("Invalid API Key"); | ||
| } |
Added RegexOptions.CultureInvariant to the [GeneratedRegex] attribute for BasicAuthorizationHeaderRegex. This change ensures consistent parsing of the Basic authentication header regardless of the current culture settings.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #196