Merge pull request 'Hardened certificate loading' (#129 ) from dataprotection into master

Reviewed-on: #129
Hardened certificate loading
2026-06-14 23:34:59 +02:00 · 2026-06-14 23:34:25 +02:00 · 2026-06-14 23:10:42 +02:00 · 2026-06-14 23:10:09 +02:00 · 2026-06-14 22:52:05 +02:00 · 2026-06-14 22:50:31 +02:00
1 changed files with 20 additions and 3 deletions
@@ -54,12 +54,20 @@ public static class Api
    public static IServiceCollection AddLiteCharmsWebSecurity(this IServiceCollection services, IConfiguration configuration)
    {
-        var certificate = X509CertificateLoader.LoadPkcs12(Convert.FromBase64String(configuration["DataProtection:Certificate"]!), configuration["DataProtection:Password"]);
+        var certString = configuration["DataProtection:Certificate"] ?? configuration["DataProtection__Certificate"];
        var certPassword = configuration["DataProtection:Password"] ?? configuration["DataProtection__Password"];
        if (string.IsNullOrEmpty(certString))
            throw new InvalidOperationException("Data Protection Certificate configuration is missing.");
        var certificate = X509CertificateLoader.LoadPkcs12(Convert.FromBase64String(certString), certPassword);
        services.AddDataProtection().PersistKeysToDbContext<DataProtectionDbContext>()
            .ProtectKeysWithCertificate(certificate)
            .SetApplicationName("LiteCharmsApp");
        services.Configure<DataProtectionOptions>(options => options.ApplicationDiscriminator = "LiteCharmsApp");
        services.ConfigureCookieOidcSameSiteSupport();
        var configSection = configuration.GetSection(nameof(LiteCharmsSettings));
@@ -137,8 +145,17 @@ public static class Api
    private static void CheckSameSite(HttpContext httpContext, CookieOptions options)
    {
        if (options.SameSite == SameSiteMode.None)
-            if (!httpContext.Request.IsHttps && httpContext.Request.Headers["X-Forwarded-Proto"] != "https") 
+        {
-                options.SameSite = SameSiteMode.Unspecified;
+            bool isSecure = httpContext.Request.IsHttps;
            if (!isSecure && httpContext.Request.Headers.TryGetValue("X-Forwarded-Proto", out var proto))
                isSecure = string.Equals(proto, "https", StringComparison.OrdinalIgnoreCase);
            if (!isSecure && httpContext.Request.Headers.TryGetValue("Forwarded", out var forwarded))
                isSecure = forwarded.ToString().Contains("proto=https", StringComparison.OrdinalIgnoreCase);
            if (!isSecure) options.SameSite = SameSiteMode.Unspecified;
        }
    }
    public static IServiceCollection AddLiteCharmsApiSecurity(this IServiceCollection services, IConfiguration configuration)
Author	SHA1	Message	Date
khwezi	ad2ea48592	Merge pull request 'Hardened certificate loading' (#129 ) from dataprotection into master Reviewed-on: #129	2026-06-14 23:34:59 +02:00
Khwezi Mngoma	bf36bb6bbc	Hardened certificate loading continuous-integration/drone/pr Build is passing Details	2026-06-14 23:34:25 +02:00
khwezi	0a9a459892	Merge pull request 'Refactored AddLiteCharmsWebSecurity to force a session recycling of keys on other pods' (#128 ) from dataprotection into master Reviewed-on: #128	2026-06-14 23:10:42 +02:00
Khwezi Mngoma	00d43c8f10	Refactored AddLiteCharmsWebSecurity to force a session recycling of keys on other pods continuous-integration/drone/pr Build is passing Details	2026-06-14 23:10:09 +02:00
khwezi	f5a69de0a0	Merge pull request 'Refactored CheckSameSite' (#127 ) from dataprotection into master Reviewed-on: #127	2026-06-14 22:52:05 +02:00
Khwezi Mngoma	40a5f94941	Refactored CheckSameSite continuous-integration/drone/pr Build is passing Details	2026-06-14 22:50:31 +02:00