feat(templates): improve boilerplate security with dotnet dev-certs a…

…nd dotnet user-secrets commands #6688 (#6689)
bitfoundation · Jan 23, 2024 · a921316 · a921316
1 parent 1f2c068
commit a921316
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 14 deletions.
diff --git a/...erplate/Bit.Boilerplate/src/Boilerplate.Server/Extensions/IServiceCollectionExtensions.cs b/...erplate/Bit.Boilerplate/src/Boilerplate.Server/Extensions/IServiceCollectionExtensions.cs
@@ -39,14 +39,20 @@ public static void AddBlazor(this IServiceCollection services, IConfiguration co
         services.AddClientWebServices();
     }
 
-    public static void AddIdentity(this IServiceCollection services, IConfiguration configuration)
+    public static void AddIdentity(this IServiceCollection services, IConfiguration configuration, IWebHostEnvironment hostEnv)
     {
         var appSettings = configuration.GetSection(nameof(AppSettings)).Get<AppSettings>()!;
         var settings = appSettings.IdentitySettings;
 
         var certificatePath = Path.Combine(Directory.GetCurrentDirectory(), "IdentityCertificate.pfx");
         var certificate = new X509Certificate2(certificatePath, appSettings.IdentitySettings.IdentityCertificatePassword, OperatingSystem.IsWindows() ? X509KeyStorageFlags.EphemeralKeySet : X509KeyStorageFlags.DefaultKeySet);
 
+        bool isBoilerplateTestCertificate = certificate.Thumbprint is "55140A8C935AB5202949071E5781E6946CD60606"; // The default test certificate is still in use
+        if (hostEnv.IsDevelopment() is false)
+        {
+            throw new InvalidOperationException(@"The default test certificate is still in use. Please replace it with a new one by running the 'dotnet dev-certs https --export-path IdentityCertificate.pfx --password P@ssw0rdP@ssw0rd' command in the server project's folder.");
+        }
+
         services.AddDataProtection()
             .PersistKeysToDbContext<AppDbContext>()
             .ProtectKeysWithCertificate(certificate);

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Boilerplate.Server/IdentityCertificate.pfx b/src/Templates/Boilerplate/Bit.Boilerplate/src/Boilerplate.Server/IdentityCertificate.pfx
diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Boilerplate.Server/Startup/Services.cs b/src/Templates/Boilerplate/Bit.Boilerplate/src/Boilerplate.Server/Startup/Services.cs
@@ -85,7 +85,7 @@ public static void Add(IServiceCollection services, IWebHostEnvironment env, ICo
 
         services.AddSwaggerGen();
 
-        services.AddIdentity(configuration);
+        services.AddIdentity(configuration, env);
 
         services.AddHealthChecks(env, configuration);
 

diff --git a/src/Templates/Boilerplate/Bit.Boilerplate/src/Boilerplate.Server/appsettings.json b/src/Templates/Boilerplate/Bit.Boilerplate/src/Boilerplate.Server/appsettings.json
@@ -10,17 +10,17 @@
         "IdentitySettings": {
             "Issuer": "Boilerplate",
             "Audience": "Boilerplate",
-            "IdentityCertificatePassword": "P@ssw0rdP@ssw0rd",
-            "BearerTokenExpiration": "0.01:00:00", //Format: D.HH:mm:ss
-            "RefreshTokenExpiration": "14.00:00:00", //Format: D.HH:mm:ss
+            "IdentityCertificatePassword": "P@ssw0rdP@ssw0rd", // It can also be configured using: dotnet user-secrets set "AppSettings:IdentitySettings:IdentityCertificatePassword" "P@ssw0rdP@ssw0rd"
+            "BearerTokenExpiration": "0.01:00:00", // Format: D.HH:mm:ss
+            "RefreshTokenExpiration": "14.00:00:00", // Format: D.HH:mm:ss
             "PasswordRequireDigit": "false",
             "PasswordRequiredLength": "6",
             "PasswordRequireNonAlphanumeric": "false",
             "PasswordRequireUppercase": "false",
             "PasswordRequireLowercase": "false",
             "RequireUniqueEmail": "true",
-            "ConfirmationEmailResendDelay": "0.00:02:00", //Format: D.HH:mm:ss
-            "ResetPasswordEmailResendDelay": "0.00:02:00" //Format: D.HH:mm:ss
+            "ConfirmationEmailResendDelay": "0.00:02:00", // Format: D.HH:mm:ss
+            "ResetPasswordEmailResendDelay": "0.00:02:00" // Format: D.HH:mm:ss
         },
         "EmailSettings": {
             "Host": "LocalFolder", // Local folder means storing emails as .eml file in bin/Debug/net8.0/sent-emails folder (Recommended for testing purposes only) instead of sending them using smtp server.

diff --git a/...s/Platform/src/Bit.Websites.Platform.Client/Pages/Templates/Templates13SettingsPage.razor b/...s/Platform/src/Bit.Websites.Platform.Client/Pages/Templates/Templates13SettingsPage.razor
@@ -24,26 +24,25 @@
         <pre class="code-box">"IdentitySettings": {
     "Issuer": "Boilerplate",
     "Audience": "Boilerplate",
-    "IdentityCertificatePassword": "P@ssw0rdP@ssw0rd",
-    "BearerTokenExpiration": "0.01:00:00", //Format: D.HH:mm:ss
-    "RefreshTokenExpiration": "14.00:00:00", //Format: D.HH:mm:ss
+    "IdentityCertificatePassword": "P@ssw0rdP@ssw0rd", // It can also be configured using: dotnet user-secrets set "AppSettings:IdentitySettings:IdentityCertificatePassword" "P@ssw0rdP@ssw0rd"
+    "BearerTokenExpiration": "0.01:00:00", // Format: D.HH:mm:ss
+    "RefreshTokenExpiration": "14.00:00:00", // Format: D.HH:mm:ss
     "PasswordRequireDigit": "false",
     "PasswordRequiredLength": "6",
     "PasswordRequireNonAlphanumeric": "false",
     "PasswordRequireUppercase": "false",
     "PasswordRequireLowercase": "false",
     "RequireUniqueEmail": "true",
-    "ConfirmationEmailResendDelay": "0.00:02:00", //Format: D.HH:mm:ss
-    "ResetPasswordEmailResendDelay": "0.00:02:00" //Format: D.HH:mm:ss
+    "ConfirmationEmailResendDelay": "0.00:02:00", // Format: D.HH:mm:ss
+    "ResetPasswordEmailResendDelay": "0.00:02:00" // Format: D.HH:mm:ss
 }</pre>
         <div class="section-card-txt">
             <b>Note</b>: IdentityCertificatePassword referring to the password of the
             <b>IdentityCertificate.pfx</b> file in the Server project that used as certificate file
             for store the public key and etc for validating incoming JWT tokens.
             To create PFX file run the following commands in PowerShell with the desired password and file path for your pfx file.
         </div>
-        <pre class="code-box">$cert = New-SelfSignedCertificate -CertStoreLocation Cert:\LocalMachine\My -Subject "IdentityServerCN" -Provider "Microsoft Strong Cryptographic Provider" -HashAlgorithm "SHA512" -NotAfter (Get-Date).AddYears(5)
-Export-PfxCertificate -cert ('Cert:\LocalMachine\My\' + $cert.thumbprint) -FilePath IdentityCertificate.pfx -Password (ConvertTo-SecureString -String "P@ssw0rdP@ssw0rd" -Force -AsPlainText)</pre>
+        <pre class="code-box">dotnet dev-certs https --export-path IdentityCertificate.pfx --password P@ssw0rdP@ssw0rd</pre>
         <b>Note</b>: Replace P@ssw0rdP@ssw0rd with strong password and use that as IdentityCertificatePassword's value in appsettings.json
     </section>