security: harden config, argon2 defaults, and non-blocking incident logging

Author: modestustr

SecurityHelperLibrary.Sample/Program.cs

@@ -42,13 +42,36 @@
 
 string jwtIssuer = builder.Configuration["SecurityAudit:Jwt:Issuer"] ?? "SecurityHelperLibrary.Sample";
 string jwtAudience = builder.Configuration["SecurityAudit:Jwt:Audience"] ?? "SecurityHelperLibrary.Sample.Admin";
-string jwtSigningKey = builder.Configuration["SecurityAudit:Jwt:SigningKey"] ?? "change-this-signing-key-at-least-32-characters";
-byte[] jwtSigningKeyBytes = Encoding.UTF8.GetBytes(jwtSigningKey);
+string jwtSigningKeyBase64 = builder.Configuration["SecurityAudit:Jwt:SigningKeyBase64"];
+if (string.IsNullOrWhiteSpace(jwtSigningKeyBase64) || jwtSigningKeyBase64.StartsWith("__SET_VIA_ENV", StringComparison.Ordinal))
+{
+    throw new InvalidOperationException("SecurityAudit:Jwt:SigningKeyBase64 must be provided via environment/secret store.");
+}
+
+byte[] jwtSigningKeyBytes;
+try
+{
+    jwtSigningKeyBytes = Convert.FromBase64String(jwtSigningKeyBase64);
+}
+catch (FormatException)
+{
+    throw new InvalidOperationException("SecurityAudit:Jwt:SigningKeyBase64 must be valid Base64.");
+}
+
 if (jwtSigningKeyBytes.Length < 32)
 {
-    throw new InvalidOperationException("SecurityAudit:Jwt:SigningKey must be at least 32 characters.");
+    throw new InvalidOperationException("SecurityAudit:Jwt:SigningKeyBase64 must decode to at least 32 bytes.");
 }
 
+string connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
+if (string.IsNullOrWhiteSpace(connectionString) || connectionString.StartsWith("__SET_VIA_ENV", StringComparison.Ordinal))
+{
+    throw new InvalidOperationException("ConnectionStrings:DefaultConnection must be provided via environment/secret store.");
+}
+
+byte[] validationSigningKey = (byte[])jwtSigningKeyBytes.Clone();
+Array.Clear(jwtSigningKeyBytes, 0, jwtSigningKeyBytes.Length);
+
 builder.Services
     .AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
     .AddJwtBearer(options =>
@@ -61,7 +84,7 @@
             ValidateLifetime = true,
             ValidIssuer = jwtIssuer,
             ValidAudience = jwtAudience,
-            IssuerSigningKey = new SymmetricSecurityKey(jwtSigningKeyBytes),
+            IssuerSigningKey = new SymmetricSecurityKey(validationSigningKey),
             ClockSkew = TimeSpan.Zero
         };
     });
@@ -72,9 +95,6 @@
 // SQLite connection string points to "app.db" in the application directory
 // This makes it easy to develop locally without setting up a database server
 // In production, switch to SQL Server, PostgreSQL, Azure SQL, etc.
-string connectionString = builder.Configuration.GetConnectionString("DefaultConnection")
-    ?? "Data Source=app.db"; // Fallback to local SQLite if not configured
-
 builder.Services.AddDbContext<ApplicationDbContext>(options =>
 {
     // Use SQLite provider
@@ -100,15 +120,24 @@
 builder.Services.AddSingleton<ISecurityIncidentStore, InMemorySecurityIncidentStore>();
 builder.Services.AddScoped<ISecurityHelper>(serviceProvider =>
 {
+    var configuration = serviceProvider.GetRequiredService<IConfiguration>();
     var incidentStore = serviceProvider.GetRequiredService<ISecurityIncidentStore>();
     var loggerFactory = serviceProvider.GetRequiredService<ILoggerFactory>();
     var incidentLogger = loggerFactory.CreateLogger("SecurityIncidents");
+    var argon2Options = new SecurityHelperOptions
+    {
+        Argon2DefaultIterations = configuration.GetValue<int?>("SecurityHelper:Argon2Defaults:Iterations") ?? 4,
+        Argon2DefaultMemoryKb = configuration.GetValue<int?>("SecurityHelper:Argon2Defaults:MemoryKb") ?? 131072,
+        Argon2DefaultDegreeOfParallelism = configuration.GetValue<int?>("SecurityHelper:Argon2Defaults:DegreeOfParallelism") ?? 4,
+        Argon2DefaultHashLength = configuration.GetValue<int?>("SecurityHelper:Argon2Defaults:HashLength") ?? 32
+    };
 
     return new SecurityHelper(incidentCode =>
     {
+        string structuredIncident = $"SEC_EVT|source=SecurityHelper|code={incidentCode}|ts={DateTimeOffset.UtcNow:O}";
         incidentStore.Add(incidentCode);
-        incidentLogger.LogWarning("Security incident detected: {IncidentCode}", incidentCode);
-    });
+        incidentLogger.LogWarning("Security incident detected: {Incident}", structuredIncident);
+    }, argon2Options);
 });
 
 // Add CORS (Cross-Origin Resource Sharing) for frontend access

SecurityHelperLibrary.Sample/Services/JwtTokenService.cs

@@ -64,13 +64,24 @@ public JwtTokenResult CreateToken(User user)
             claims.Add(new Claim(JwtRegisteredClaimNames.Email, user.Email));
         }
 
-        string signingKey = _configuration["SecurityAudit:Jwt:SigningKey"] ?? "change-this-signing-key-at-least-32-characters";
-        byte[] keyBytes = Encoding.UTF8.GetBytes(signingKey);
+        string signingKeyBase64 = _configuration["SecurityAudit:Jwt:SigningKeyBase64"];
+        if (string.IsNullOrWhiteSpace(signingKeyBase64) || signingKeyBase64.StartsWith("__SET_VIA_ENV", StringComparison.Ordinal))
+            throw new InvalidOperationException("SecurityAudit:Jwt:SigningKeyBase64 must be provided via environment/secret store.");
+
+        byte[] keyBytes;
+        try
+        {
+            keyBytes = Convert.FromBase64String(signingKeyBase64);
+        }
+        catch (FormatException)
+        {
+            throw new InvalidOperationException("SecurityAudit:Jwt:SigningKeyBase64 must be valid Base64.");
+        }
 
         if (keyBytes.Length < 32)
         {
             SecureZero(keyBytes);
-            throw new InvalidOperationException("SecurityAudit:Jwt:SigningKey must be at least 32 characters.");
+            throw new InvalidOperationException("SecurityAudit:Jwt:SigningKeyBase64 must decode to at least 32 bytes.");
         }
 
         try

SecurityHelperLibrary.Sample/appsettings.json

@@ -7,18 +7,26 @@
   },
   "AllowedHosts": "*",
   "ConnectionStrings": {
-    "DefaultConnection": "Data Source=app.db"
+    "DefaultConnection": "__SET_VIA_ENV__"
   },
   "SecurityAudit": {
     "Jwt": {
       "Issuer": "SecurityHelperLibrary.Sample",
       "Audience": "SecurityHelperLibrary.Sample.Admin",
-      "SigningKey": "change-this-signing-key-at-least-32-characters",
+      "SigningKeyBase64": "__SET_VIA_ENV_BASE64__",
       "AccessTokenMinutes": 60
     },
     "AdminUsers": [
       "admin",
       "admin@example.com"
     ]
+  },
+  "SecurityHelper": {
+    "Argon2Defaults": {
+      "Iterations": 4,
+      "MemoryKb": 131072,
+      "DegreeOfParallelism": 4,
+      "HashLength": 32
+    }
   }
 }

SecurityHelperLibrary.Tests/SecurityHelperLibraryPentestTests.cs

@@ -4,6 +4,7 @@
 using System.Linq;
 using System.Reflection;
 using System.Security.Cryptography;
+using System.Threading;
 using SecurityHelperLibrary;
 using Xunit;
 
@@ -46,8 +47,9 @@ public void SecurityIncident_LogsInternalReasonCode_WithoutLeakingToCaller()
                 helperWithLogger.VerifyPasswordWithPBKDF2("wrong", "invalid_format"));
 
             Assert.Equal(GenericError, ex.Message);
+            SpinWait.SpinUntil(() => incidents.Count > 0, 250);
             Assert.NotEmpty(incidents);
-            Assert.Contains(incidents, code => code.StartsWith("PBKDF2_", StringComparison.Ordinal));
+            Assert.Contains(incidents, code => code.IndexOf("code=PBKDF2_", StringComparison.Ordinal) >= 0);
             Assert.DoesNotContain("invalid_format", string.Join(";", incidents));
         }
 

SecurityHelperLibrary/SecurityHelperLibrary.cs

@@ -2,6 +2,7 @@
 using System.Security.Cryptography;
 using System.Text;
 using System.ComponentModel;
+using System.Threading;
 using Isopoh.Cryptography.Argon2;
 
 namespace SecurityHelperLibrary
@@ -16,17 +17,62 @@ public class SecurityHelper : ISecurityHelper
         private const int MinHashLengthBytes = 16;
         private const int MinArgon2Iterations = 3;
         private const int MinArgon2MemoryKb = 65536;
+        private const int BaselineArgon2Iterations = 4;
+        private const int BaselineArgon2MemoryKb = 131072;
+        private const int BaselineArgon2DegreeOfParallelism = 4;
+        private const int BaselineArgon2HashLength = 32;
         private const int MaxArgon2DegreeOfParallelism = 64;
         private readonly Action<string> _securityIncidentLogger;
+        private readonly int _defaultArgon2Iterations;
+        private readonly int _defaultArgon2MemoryKb;
+        private readonly int _defaultArgon2DegreeOfParallelism;
+        private readonly int _defaultArgon2HashLength;
 
         public SecurityHelper()
-            : this(null)
+            : this((Action<string>)null)
         {
         }
 
         public SecurityHelper(Action<string> securityIncidentLogger)
+            : this(securityIncidentLogger, null)
+        {
+        }
+
+        public SecurityHelper(SecurityHelperOptions options)
+            : this(null, options)
+        {
+        }
+
+        public SecurityHelper(Action<string> securityIncidentLogger, SecurityHelperOptions options)
         {
             _securityIncidentLogger = securityIncidentLogger;
+            if (options == null)
+            {
+                _defaultArgon2Iterations = BaselineArgon2Iterations;
+                _defaultArgon2MemoryKb = BaselineArgon2MemoryKb;
+                _defaultArgon2DegreeOfParallelism = BaselineArgon2DegreeOfParallelism;
+                _defaultArgon2HashLength = BaselineArgon2HashLength;
+                return;
+            }
+
+            _defaultArgon2Iterations = options.Argon2DefaultIterations >= MinArgon2Iterations
+                ? options.Argon2DefaultIterations
+                : MinArgon2Iterations;
+
+            _defaultArgon2MemoryKb = options.Argon2DefaultMemoryKb >= MinArgon2MemoryKb
+                ? options.Argon2DefaultMemoryKb
+                : MinArgon2MemoryKb;
+
+            _defaultArgon2DegreeOfParallelism = options.Argon2DefaultDegreeOfParallelism >= 1
+                ? options.Argon2DefaultDegreeOfParallelism
+                : 1;
+
+            if (_defaultArgon2DegreeOfParallelism > MaxArgon2DegreeOfParallelism)
+                _defaultArgon2DegreeOfParallelism = MaxArgon2DegreeOfParallelism;
+
+            _defaultArgon2HashLength = options.Argon2DefaultHashLength >= MinHashLengthBytes
+                ? options.Argon2DefaultHashLength
+                : BaselineArgon2HashLength;
         }
 
         // --- IMMUTABLE WORKING METHODS ---
@@ -234,6 +280,7 @@ private static HashAlgorithm GetHashAlgorithm(HashAlgorithmName hashAlgorithm)
 #endif
         public string HashPasswordWithArgon2(string password, string salt, int iterations = 4, int memoryKb = 131072, int degreeOfParallelism = 4, int hashLength = 32)
         {
+            ApplyArgon2Defaults(ref iterations, ref memoryKb, ref degreeOfParallelism, ref hashLength);
 #if NET6_0_OR_GREATER
             if (string.IsNullOrEmpty(password))
                 throw new ArgumentException("Password cannot be null or empty.", nameof(password));
@@ -290,6 +337,7 @@ public string HashPasswordWithArgon2(string password, string salt, int iteration
         /// </summary>
         public string HashPasswordWithArgon2(ReadOnlySpan<char> password, string salt, int iterations = 4, int memoryKb = 131072, int degreeOfParallelism = 4, int hashLength = 32)
         {
+            ApplyArgon2Defaults(ref iterations, ref memoryKb, ref degreeOfParallelism, ref hashLength);
             if (password.Length == 0)
                 throw new ArgumentException("Password cannot be empty.", nameof(password));
             if (string.IsNullOrWhiteSpace(salt))
@@ -689,17 +737,42 @@ private CryptographicException CreateInvalidSecurityParametersException(string i
             return new CryptographicException(GenericSecurityErrorMessage);
         }
 
+        private void ApplyArgon2Defaults(ref int iterations, ref int memoryKb, ref int degreeOfParallelism, ref int hashLength)
+        {
+            if (iterations == BaselineArgon2Iterations)
+                iterations = _defaultArgon2Iterations;
+
+            if (memoryKb == BaselineArgon2MemoryKb)
+                memoryKb = _defaultArgon2MemoryKb;
+
+            if (degreeOfParallelism == BaselineArgon2DegreeOfParallelism)
+                degreeOfParallelism = _defaultArgon2DegreeOfParallelism;
+
+            if (hashLength == BaselineArgon2HashLength)
+                hashLength = _defaultArgon2HashLength;
+        }
+
         private void LogSecurityIncident(string incidentCode, Exception exception)
         {
             if (_securityIncidentLogger == null)
                 return;
 
+            string payload = exception == null
+                ? $"SEC_EVT|code={incidentCode}|exception=None"
+                : $"SEC_EVT|code={incidentCode}|exception={exception.GetType().Name}";
+
             try
             {
-                if (exception == null)
-                    _securityIncidentLogger.Invoke(incidentCode);
-                else
-                    _securityIncidentLogger.Invoke($"{incidentCode}|{exception.GetType().Name}");
+                ThreadPool.QueueUserWorkItem(_ =>
+                {
+                    try
+                    {
+                        _securityIncidentLogger.Invoke(payload);
+                    }
+                    catch
+                    {
+                    }
+                });
             }
             catch
             {

SecurityHelperLibrary/SecurityHelperOptions.cs

@@ -0,0 +1,10 @@
+namespace SecurityHelperLibrary
+{
+    public sealed class SecurityHelperOptions
+    {
+        public int Argon2DefaultIterations { get; set; } = 4;
+        public int Argon2DefaultMemoryKb { get; set; } = 131072;
+        public int Argon2DefaultDegreeOfParallelism { get; set; } = 4;
+        public int Argon2DefaultHashLength { get; set; } = 32;
+    }
+}