I would like to change the default passphrase per environment. Dev/QA/Stage and Prod. Any ideas?
11 Answer(s)
-
0
Set a variable in your CI/CD to pass the value into your appsettings and have the hash pull from that value? (I dont remember where the password hash creator lives off the top of my head.) Another option would be to store it as a "Setting" and pull from there.
-
0
@maharatha were you able to make it enviromental variable? I also was thinking this since I don't wan't passphrase to be visible in project files.
I was wondering where I should overwrite SimpleStringCipher DefaultPassPhrase so the startup value is not being used and how to handle Seed HostRoleAndUserCreator where Host admin user is created and it is given encrypted Password?
-
0
You can store in database with encryption. You can also use Settings as it reads AbpSettings table.
You can also use environment variable.
Environment.GetEnvironmentVariable("myPassPhrase")This is where you should set
SimpleStringCipher.DefaultPassPhrase = "..."; -
0
Hi @alper Yes I am going to use enviromental variable, but I need help with these questions:
- Where should I insert this code line
SimpleStringCipher.DefaultPassPhrase = "...";- How to provide default password for Host admin when database is created for the first time in seed method?
-
0
It seems that user passwords are not hashed with SimpleStringCipher so I can forget that.
Main concern is for the Q1 that if I but it at Modules PreInitialize(), is it being used before my change takes effect?
Q3: Why there is different DefaultPassPhrase at templates Application.Shared -> AppConsts class?
-
0
hi,
Use AppConsts.DefaultPassPhrase . The other one is in the ABP framework, Zero overrides that.
-
0
@alper
The other one is in the ABP framework, Zero overrides that.
Where and when it is being overrided?
I changed AppConst DefaultPassPhrase to static string and set it at Application modules PreInitialize method. I also put breakpoint to getter so I was able to see if it it was being used before it was initialized.
//public const string DefaultPassPhrase = "old code"; private static string _defaultPassPhrase; public static string DefaultPassPhrase { get { if (_defaultPassPhrase == null) throw new AbpException("DefaultPassPhrase was not set before getter was being used!"); return _defaultPassPhrase; } set { _defaultPassPhrase = value; } }I also set breakpoint to my TenantCache extension object, where SimpleStringCipher.Instance.Decrypt is being used and noticed that there SimpleStringCipher's DefaultPassPhrase was not changed. It still was the one, you recommend to change??
-
0
see
- <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/0619e6f8ce314963135a7220fe1d447138361bf3/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L537">https://github.com/aspnetzero/aspnet-ze ... er.cs#L537</a>
- <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/0619e6f8ce314963135a7220fe1d447138361bf3/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Host/Startup/AuthConfigurer.cs#L83">https://github.com/aspnetzero/aspnet-ze ... rer.cs#L83</a>
-
0
Yes, but that does NOT <ins>CHANGE</ins>SimpleStringCipher.DefaultPassPhrase, which is being used for example for Tenant specific dbconnection string encrypting and decrypting TenantManager: ConnectionString = connectionString.IsNullOrWhiteSpace() ? null : SimpleStringCipher.Instance.Encrypt(connectionString),
[https://github.com/aspnetboilerplate/aspnetboilerplate/blob/dev/src/Abp/Runtime/Security/SimpleStringCipher_NetStandard.cs#L48]) Lines 48, 68 and 109.
And there at line 26: > /// It's recommented to set to another value for security.
So the question still remains: is there somewhere line in Zero module:
SimpleStringCipher.DefaultPassPhrase = AppConsts.DefaultPassPhraseor should I add it for my self to somewhere?
-
0
or should I add it for my self to somewhere?
you can set it in your project.
-
0
you can set it in your project.
yes I can. My only consern is that if it is being used somewhere before my set command takes plase, it may cause encrypt/decrupt failures for the "before my set commad" encryptions.
