ISecuritySettings

Namespace: ASPSecurityKit
Assembly: ASPSecurityKit.dll

Summary

Defines configuration settings for security pipeline.

Properties

LetSuspendedAuthenticate

Summary

Gets or sets a value indicating whether suspended users should be allowed to successfully authenticate. The default is false.

Value

true if suspended users should be allowed to successfully authenticate; otherwise, false.

MustHaveBeenVerified

Summary

Gets or sets a value indicating whether user must have been verified to execute requests. The default is true.

Value

true if user must have been verified; otherwise, false.

Remarks

If MustHaveBeenVerified is true and if current user is not verified, operation execution is halted and an unauthorized response is returned. You can explicitly opt out operations from verification by using VerificationNotRequired. See your platform specific ASK library docs to learn how operations can be marked with request features.

HmacMaxAgeInSeconds

Summary

Gets or sets the HMAC maximum age in seconds. Set it as low as possible to prevent replay attacks. Default is 300 (5 minutes).

Value

The HMAC maximum age in seconds. Set it as low as possible to prevent replay attacks.

Exceptions
Type Description
System.ArgumentException When value is not a positive integer (>= 1).
Remarks

The default value is 300 (5 minutes). If there’s no value provided or the value provided is less than or equal to 0, the default value will be returned. To configure this setting in configuration file, provide a value for the key by the same name HmacMaxAgeInSeconds in the appSettings section.

IsDevelopmentEnvironment

Summary

Gets or sets a value indicating whether current application execution environment is development. The default is false. Used by such things as WriteToResponse to decide how much error details to emit to response.

Value

true if current application execution environment is development; otherwise, false.

FirewallEnabled

Summary

Gets or sets a value indicating whether IP firewall is enabled. The default is true.

Value

true if IP firewall is enabled; otherwise, false.

IgnoreFirewallWithServiceHMacToken

Summary

Gets or sets a value indicating whether IP firewall check should be ignored when service hmac token is being used. The default is true.

Value

true if IP firewall check should be ignored when service hmac token is being used; otherwise, false.

AllowedVerbsForQSToken

Summary

Gets or sets the verbs (HTTP methods) allowed for embedding HMAC tokens QSHmac in queryString. Default is GET.

Value

The verbs (HTTP methods) allowed for embedding HMAC tokens QSHmac in queryString.

AllowedOperationsForImpersonation

Summary

Gets or sets a list of ImpersonateAllowOperation rules that determines which operations are allowed during impersonation without needing to explicitly indicate the same on the operation. The default is GET (for read-only impersonation).

Value

A list of ImpersonateAllowOperation rules that determines which operations are allowed during impersonation.

MFAAliveForMinutes

Summary

Gets or sets the duration in minutes of inactivity after which MFA is required again. The minimum is 5 and the default is 30.

Exceptions
Type Description
System.ArgumentException When value is less than 5.
Remarks

The default value is 30 minutes. If there’s no value provided or the value provided is less than 5, the default value will be returned. To configure this setting in configuration file, provide a value for the key by the same name MFAAliveForMinutes in the appSettings section.

PasswordResetTokenExpirationInMinutes

Summary

Gets or sets the time interval, in minutes, the password reset token is valid after it is generated.

Value

The time interval, in minutes, the password reset token is valid after it is generated.

Exceptions
Type Description
System.ArgumentException When value is not a positive integer.
Remarks

The default value is 30. If there’s no value provided or the value provided is less than or equal to 0, the default value will be returned. To configure this setting in configuration file, provide a value for the key by the same name PasswordResetTokenExpirationInMinutes in the appSettings section.

RememberMeTimeoutInMinutes

Summary

Gets or sets the timeout period in minutes for persistent authentication cookie (when remember me is true).

Value

The timeout period in minutes for persistent authentication cookie (when remember me is true).

Exceptions
Type Description
System.ArgumentException When value is not a positive integer.
Remarks

The default value is 21600 (15 days). If there’s no value provided or the value provided is less than or equal to 0, the default value will be returned. To configure this setting in configuration file, provide a value for the key by the same name RememberMeTimeoutInMinutes in the appSettings section.

PasswordHashingIterations

Summary

Gets or sets the iteration count to use when computing password hash with PBKDF2. This shouldn’t be lower than 1000 for production environment. Don’t compromise hash strength to speed up execution. For test environments this can be lowered down to minimum expectable value.

Value

The iteration count to use when computing password hash with PBKDF2.

Exceptions
Type Description
System.ArgumentException When value is not a positive integer.
Remarks

The default value is 1000. If there’s no value provided or the value provided is less than or equal to 0, the default value will be returned. This shouldn’t be lower than 1000 for production environment. Don’t compromise hash strength to speed up execution. For test environments this can be lowered down to minimum expectable value. To configure this setting in configuration file, provide a value for the key by the same name PasswordHashingIterations in the appSettings section.

ThrowSecurityFailureAsException

Summary

Gets or sets a value indicating whether security failure should be thrown as AuthFailedException. The default is false.

Value

true if security failure should be thrown as AuthFailedException; otherwise, false.

AuthCookieOptions

Summary

Gets or sets the default options for the Cookie.

Value

The default options for the Cookie.

Exceptions
Type Description
System.ArgumentNullException When value is null.
Remarks

The default is new CookieOptions { HttpOnly = true, SameSite = SameSiteOption.Lax, Path = “/” }. The ExpiresIn isn’t set by default because RememberMeTimeoutInMinutes is already there to define the timeout default for all kinds of login schemes.

UnprotectedRequestPaths

Summary

Gets the request paths (AbsolutePath) to be not protected by ASPSecurityKit’s security pipeline. Match is Case-insensitive. A full match with the incoming request path is required with an item in this collection, to avoid unintended paths be unprotected due to partial match. Use this setting to specify endpoints like those related to API documentation, which never need authentication and access checks. For public operations like SignUp/SignIn, don’t use this setting; use the AllowAnonymousAttribute instead, as in such cases, you would still prefer to validate input for XSS and AuthToken sent in the request.

Value

The request paths to be not protected by ASPSecurityKit’s security pipeline.

Remarks

The default is empty List`1.

ValidateXss

Summary

Gets or sets a value indicating whether cross-site scripting (XSS) validation should be performed on the request input. The default is true for all environment except for frameworks like ASP.NET MVC5, which have their own built-in XSS validation.

Value

A Boolean value indicating whether cross-site scripting (XSS) validation should be performed on the request input.

Methods

IsMFAEnabled()

Summary

Determines whether or not multi-factor authentication is enabled. The default is true.

Returns

true if multi-factor authentication is enabled; otherwise, false.

Parameters

This method has no parameters.

GetMFAWhitelistedIPRanges()

Summary

Gets the IP ranges through which any originating request does not go through MFA at all. The default is null (MFA is not skipped for any traffic).

Returns

The IP ranges through which any originating request does not go through MFA at all.

Parameters

This method has no parameters.

GetPasswordExpirationIntervalInDays(user)

Summary

Gets the number of days after which password will expire for the user. The default is null (no expiration).

Returns

The number of days after which password will expire for the user.

Parameters
Name Type Description
user ASPSecurityKit.IUser Optional; The user instance for which password expiration needs to be updated. Helps in determining the applicable password expiration policy in a multi-tenant environment. null when new user is being created.

IsUnprotected(absoluteUri)

Summary

Gets whether the given URL is part of the UnprotectedRequestPaths collection.

Returns

true if the given URL is part of the UnprotectedRequestPaths collection; otherwise, false.

Parameters
Name Type Description
absoluteUri System.String The requested URL. If it’s null/empty/whitespace, no match shall be attempted.
Remarks

The default implementation uses the logic as described in the UnprotectedRequestPaths but you can extend it to anything you desire.

IsMFAEnabledAsync()

Summary

Determines whether or not multi-factor authentication is enabled. The default is true.

Returns

true if multi-factor authentication is enabled; otherwise, false.

Parameters

This method has no parameters.

IsMFAEnabledAsync(cancellationToken)

Summary

Determines whether or not multi-factor authentication is enabled. The default is true.

Returns

true if multi-factor authentication is enabled; otherwise, false.

Parameters
Name Type Description
cancellationToken System.Threading.CancellationToken The cancellation token.

GetMFAWhitelistedIPRangesAsync()

Summary

Gets the IP ranges through which any originating request does not go through MFA at all. The default is null (MFA is not skipped for any traffic).

Returns

The IP ranges through which any originating request does not go through MFA at all.

Parameters

This method has no parameters.

GetMFAWhitelistedIPRangesAsync(cancellationToken)

Summary

Gets the IP ranges through which any originating request does not go through MFA at all. The default is null (MFA is not skipped for any traffic).

Returns

The IP ranges through which any originating request does not go through MFA at all.

Parameters
Name Type Description
cancellationToken System.Threading.CancellationToken The cancellation token.

GetPasswordExpirationIntervalInDaysAsync(user)

Summary

Gets the number of days after which password will expire for the user. The default is null (no expiration).

Returns

The number of days after which password will expire for the user.

Parameters
Name Type Description
user ASPSecurityKit.IUser Optional; The user instance for which password expiration needs to be updated. Helps in determining the applicable password expiration policy in a multi-tenant environment. null when new user is being created.

GetPasswordExpirationIntervalInDaysAsync(user,cancellationToken)

Summary

Gets the number of days after which password will expire for the user. The default is null (no expiration).

Returns

The number of days after which password will expire for the user.

Parameters
Name Type Description
user System.Threading.CancellationToken Optional; The user instance for which password expiration needs to be updated. Helps in determining the applicable password expiration policy in a multi-tenant environment. null when new user is being created.
cancellationToken ASPSecurityKit.IUser The cancellation token.

IsUnprotectedAsync(absoluteUri)

Summary

Gets whether the given URL is part of the UnprotectedRequestPaths collection.

Returns

true if the given URL is part of the UnprotectedRequestPaths collection; otherwise, false.

Parameters
Name Type Description
absoluteUri System.String The requested URL. If it’s null/empty/whitespace, no match shall be attempted.
Remarks

The default implementation uses the logic as described in the UnprotectedRequestPaths but you can extend it to anything you desire.

IsUnprotectedAsync(absoluteUri,cancellationToken)

Summary

Gets whether the given URL is part of the UnprotectedRequestPaths collection.

Returns

true if the given URL is part of the UnprotectedRequestPaths collection; otherwise, false.

Parameters
Name Type Description
absoluteUri System.String The requested URL. If it’s null/empty/whitespace, no match shall be attempted.
cancellationToken System.Threading.CancellationToken The cancellation token.
Remarks

The default implementation uses the logic as described in the UnprotectedRequestPaths but you can extend it to anything you desire.