Base solution for your next web application
Open Closed

Default Passphrase - Change per Environment #5182


User avatar
0
maharatha created

I would like to change the default passphrase per environment. Dev/QA/Stage and Prod. Any ideas?


11 Answer(s)
  • User Avatar
    0
    bbakermmc created

    Set a variable in your CI/CD to pass the value into your appsettings and have the hash pull from that value? (I dont remember where the password hash creator lives off the top of my head.) Another option would be to store it as a "Setting" and pull from there.

  • User Avatar
    0
    mikatmlvertti created

    @maharatha were you able to make it enviromental variable? I also was thinking this since I don't wan't passphrase to be visible in project files.

    I was wondering where I should overwrite SimpleStringCipher DefaultPassPhrase so the startup value is not being used and how to handle Seed HostRoleAndUserCreator where Host admin user is created and it is given encrypted Password?

  • User Avatar
    0
    alper created
    Support Team
    • You can store in database with encryption. You can also use Settings as it reads AbpSettings table.

    • You can also use environment variable.

    Environment.GetEnvironmentVariable("myPassPhrase")
    

    This is where you should set

    SimpleStringCipher.DefaultPassPhrase = "...";
    
  • User Avatar
    0
    mikatmlvertti created

    Hi @alper Yes I am going to use enviromental variable, but I need help with these questions:

    1. Where should I insert this code line
    SimpleStringCipher.DefaultPassPhrase = "...";
    
    1. How to provide default password for Host admin when database is created for the first time in seed method?
  • User Avatar
    0
    mikatmlvertti created

    It seems that user passwords are not hashed with SimpleStringCipher so I can forget that.

    Main concern is for the Q1 that if I but it at Modules PreInitialize(), is it being used before my change takes effect?

    Q3: Why there is different DefaultPassPhrase at templates Application.Shared -> AppConsts class?

  • User Avatar
    0
    alper created
    Support Team

    hi,

    Use AppConsts.DefaultPassPhrase . The other one is in the ABP framework, Zero overrides that.

  • User Avatar
    0
    mikatmlvertti created

    @alper

    The other one is in the ABP framework, Zero overrides that.

    Where and when it is being overrided?

    I changed AppConst DefaultPassPhrase to static string and set it at Application modules PreInitialize method. I also put breakpoint to getter so I was able to see if it it was being used before it was initialized.

    //public const string DefaultPassPhrase = "old code";
            private static string _defaultPassPhrase;
            public static string DefaultPassPhrase { get
                {
                    if (_defaultPassPhrase == null)
                        throw new AbpException("DefaultPassPhrase was not set before getter was being used!");
                    return _defaultPassPhrase;
                }
                set
                {
                    _defaultPassPhrase = value;
                }
            }
    

    I also set breakpoint to my TenantCache extension object, where SimpleStringCipher.Instance.Decrypt is being used and noticed that there SimpleStringCipher's DefaultPassPhrase was not changed. It still was the one, you recommend to change??

  • User Avatar
    0
    alper created
    Support Team

    see

    • <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/0619e6f8ce314963135a7220fe1d447138361bf3/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L537">https://github.com/aspnetzero/aspnet-ze ... er.cs#L537</a>
    • <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/0619e6f8ce314963135a7220fe1d447138361bf3/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Host/Startup/AuthConfigurer.cs#L83">https://github.com/aspnetzero/aspnet-ze ... rer.cs#L83</a>
  • User Avatar
    0
    mikatmlvertti created

    Yes, but that does NOT <ins>CHANGE</ins>SimpleStringCipher.DefaultPassPhrase, which is being used for example for Tenant specific dbconnection string encrypting and decrypting TenantManager: ConnectionString = connectionString.IsNullOrWhiteSpace() ? null : SimpleStringCipher.Instance.Encrypt(connectionString),

    [https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp/Runtime/Security/SimpleStringCipher_NetStandard.cs#L48]) Lines 48, 68 and 109.

    And there at line 26: > /// It's recommented to set to another value for security.

    So the question still remains: is there somewhere line in Zero module:

    SimpleStringCipher.DefaultPassPhrase = AppConsts.DefaultPassPhrase
    

    or should I add it for my self to somewhere?

  • User Avatar
    0
    alper created
    Support Team

    or should I add it for my self to somewhere?

    you can set it in your project.

  • User Avatar
    0
    mikatmlvertti created

    you can set it in your project.

    yes I can. My only consern is that if it is being used somewhere before my set command takes plase, it may cause encrypt/decrupt failures for the "before my set commad" encryptions.