jans icon indicating copy to clipboard operation
jans copied to clipboard
verified publisher icon JanssenProject

feat (jans-chip): Improve Registration / Login flow

Open NazarYavornytskyy opened this issue 2 years ago • 4 comments

Prepare

Description

Target issue

Implemented iOS demo for jans-chip project. Added Registration/Login and Main screens. Resolve tasks for everything except App Integrity and package checksum. Going to add these later

closes #issue-number-here

Implementation Details

iOS project was made using latest version of SwiftUI and Swift. Used Combine framework as reactive solution.

Test and Document the changes

  • [ ] Static code analysis has been run locally and issues have been fixed
  • [ ] Relevant unit and integration tests have been added/updated
  • [ ] Relevant documentation has been updated if any (i.e. user guides, installation and configuration guides, technical design docs etc)

Closes #6306,

NazarYavornytskyy avatar Oct 16 '23 09:10 NazarYavornytskyy

Error: Hi @NazarYavornytskyy, You did not reference an open issue in your PR. I attempted to create an issue for you.
Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.

mo-auto avatar Oct 16 '23 09:10 mo-auto

Error: Hi @NazarYavornytskyy, You did not reference an open issue in your PR. I attempted to create an issue for you. Please update that issues' title and body and make sure I correctly referenced it in the above PRs body.

So, I added more details with additional information concerning this PR. Can you review and make a decision?

NazarYavornytskyy avatar Nov 21 '23 14:11 NazarYavornytskyy

Hi there :wave:, @dryrunsecurity here, below is a summary of our analysis and findings.

DryRun Security Status Findings
Server-Side Request Forgery Analyzer :white_check_mark: 0 findings
Configured Codepaths Analyzer :white_check_mark: 0 findings
Secrets Analyzer :white_check_mark: 0 findings
Authn/Authz Analyzer :white_check_mark: 0 findings
SQL Injection Analyzer :white_check_mark: 0 findings
Sensitive Files Analyzer :white_check_mark: 0 findings
IDOR Analyzer :white_check_mark: 0 findings

[!Note] :green_circle: Risk threshold not exceeded.

Change Summary (click to expand)

The following is a summary of changes in this pull request made by me, your security buddy :robot:. Note that this summary is auto-generated and not meant to be a definitive list of security issues but rather a helpful summary from a security perspective.

Summary:

The provided code changes cover a wide range of modifications to the "Jans-Chip" iOS application, with a focus on enhancing the application's security and authentication-related functionality. The changes include updates to the Xcode project configuration, integration with the Realm database for storing sensitive data, implementation of OpenID Connect (OIDC) authentication, and various security-related utility functions.

Key security-related changes include:

  1. Secure Logout: The AfterLoginViewInteractor class handles the logout process, ensuring that the user's access and refresh tokens are properly revoked.
  2. Sensitive Data Handling: The application uses the Realm database to store sensitive information, such as OIDC client details and configuration data. Proper security measures should be implemented to protect this data.
  3. Application Integrity Checks: The code includes functionality for verifying the integrity of the application, such as calculating checksums and leveraging the DeviceCheck framework.
  4. DPoP JWT Generation: The DPoPProofFactory class is responsible for generating Demonstration of Proof (DPoP) JSON Web Tokens (JWT), which is a security mechanism used to authenticate and authorize client applications.
  5. Dynamic Client Registration (DCR): The DCRRepository class handles the DCR process, which is used to register the client application with an OIDC provider.

Overall, the code changes demonstrate a focus on improving the security and authentication capabilities of the "Jans-Chip" iOS application. However, it's important to review the entire codebase and ensure that the implementation of these security-related features is robust and follows best practices for secure application development.

Files Changed:

  1. demos/jans-chip/ios/Jans-Chip.xcodeproj/project.xcworkspace/contents.xcworkspacedata: This file is a standard Xcode workspace configuration and does not introduce any security concerns.
  2. demos/jans-chip/ios/Jans-Chip.xcodeproj/project.xcworkspace/xcshareddata/IDEWorkspaceChecks.plist: This file contains a warning flag related to 32-bit compatibility, which is a routine update and does not raise any security concerns.
  3. demos/jans-chip/android/build.gradle.kts: The changes update the Android Gradle plugin version, which should be reviewed to ensure that the new version does not introduce any known security vulnerabilities.
  4. demos/jans-chip/ios/Jans-Chip.xcodeproj/xcuserdata/nyavornytskyi.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist: This is a user-specific Xcode configuration file and does not contain any sensitive information.
  5. demos/jans-chip/ios/Jans-Chip.xcodeproj/project.xcworkspace/xcshareddata/swiftpm/Package.resolved: This file updates the Swift Package Manager dependencies, which should be reviewed to ensure that the included libraries are secure and up-to-date.
  6. demos/jans-chip/ios/Jans-Chip.xcodeproj/xcuserdata/nyavornytskyi.xcuserdatad/xcschemes/xcschememanagement.plist: This is a user-specific Xcode configuration file and does not contain any sensitive information.
  7. demos/jans-chip/ios/Jans-Chip/AfterLoginView/AfterLoginView.swift: This file implements the "After Login" view, which displays the user's information. The security of this functionality should be reviewed, especially regarding the handling of sensitive user data.
  8. demos/jans-chip/ios/Jans-Chip/AfterLoginView/AfterLoginViewAssembler.swift: This file is responsible for assembling the "After Login" view and its dependencies, which is an important part of the application's architecture.
  9. demos/jans-chip/ios/Jans-Chip/AfterLoginView/AfterLoginViewInteractor.swift: This file handles the user's actions after they have logged in, such as logging out. The security of the logout process should be reviewed.
  10. demos/jans-chip/ios/Jans-Chip/AfterLoginView/AfterLoginViewPresenter.swift: This file implements the presenter for the "After

Powered by DryRun Security

dryrunsecurity[bot] avatar Jul 08 '24 07:07 dryrunsecurity[bot]

DryRun Security Summary

The provided text summarizes changes to GitHub Actions workflows for the Janssen Project, highlighting a comprehensive approach to application security through measures like secure token management, dependency management, code linting, and cryptographic signing across various workflow configurations.

Expand for full summary

Summary:

The provided code changes cover a wide range of GitHub Actions workflows and configuration files for the Janssen Project. The changes focus on various aspects of the project, including build and deployment, documentation, code quality, and release management.

From an application security perspective, the changes generally demonstrate a strong commitment to secure development practices. The workflows implement measures such as secure token management, dependency management, code linting, and cryptographic signing of commits. These practices help to maintain the security and integrity of the codebase.

However, some of the changes also highlight areas that require ongoing attention and review. These include ensuring the secure handling of sensitive information (e.g., hardcoded credentials, API keys), maintaining up-to-date dependencies, and thoroughly reviewing the impact of changes on the overall security posture of the application.

Files Changed:

  1. .github/workflows/activate-nightly-build.yml: This workflow is responsible for activating a nightly build of the project. Key security considerations include secure secrets management, dependency management, and the execution environment.

  2. .github/CODEOWNERS: Changes to the CODEOWNERS file impact code ownership and review processes, which are important for maintaining application security.

  3. .github/workflows/backport.yml: This workflow automates the backporting of closed and labeled pull requests. Secure token usage and input validation are important security considerations.

  4. .github/pull_request_template.md: The changes to the pull request template encourage the use of task lists, which can have security implications if not properly managed.

  5. .github/workflows/build-wars.yml: This workflow builds and deploys Java-based projects. Secure credentials, dependency management, and parallel execution are key security aspects.

  6. .github/workflows/central_code_quality_check.yml: This workflow runs Sonar analysis on the codebase, which helps identify potential security vulnerabilities and code quality issues.

  7. .github/workflows/build-docs.yml: The documentation build and deployment workflow ensures the security and integrity of the published documentation.

  8. .github/workflows/build-packages.yml: This workflow builds and publishes various binary and Python packages, with a focus on secure signing and checksums.

  9. .github/workflows/delete_workflow_runs.yml: The workflow for deleting old workflow runs helps maintain the repository's health and security.

  10. .github/workflows/clean_github_cache.yml: This workflow cleans up GitHub Actions caches associated with closed pull requests, which is a security-conscious practice.

  11. .github/workflows/commit-check.yml: The commit message validation workflow helps maintain code quality and consistency, which is an important security practice.

  12. .github/workflows/codeql-analysis.yml: The configuration for the CodeQL analysis workflow demonstrates a commitment to identifying and addressing security vulnerabilities.

  13. .github/workflows/docker_imagescan.yml: This workflow scans Docker images for vulnerabilities, which is a crucial security measure.

  14. .github/workflows/docs.yml: The documentation-focused workflow includes security-conscious measures, such as automatic merging of in-house documentation changes.

  15. .github/workflows/docker_build_image.yml: The Docker image build and deployment workflow incorporates security-focused practices, such as secure image hosting and conditional building.

  16. .github/workflows/flake8-lint.yml: The Python linting workflow helps catch potential security issues early in the development process.

  17. .github/workflows/label_pr_issues.yml: This workflow automates the labeling of pull requests and issues, which can have indirect security implications.

  18. .github/workflows/jans_pycloud_build_package.yml: The workflow for updating the jans-pycloudlib dependency demonstrates security-conscious practices, such as GPG signing.

  19. .github/workflows/pr-ref-issue.yml: This workflow enforces the practice of linking pull requests to open issues, which can improve the traceability and security of the development process.

  20. .github/workflows/python-pytest.yml: The Python unit testing workflow includes considerations around dependency management and sensitive data handling.

  21. .github/workflows/release.yaml: The release management workflow incorporates security-focused practices, such as GPG signing and version control.

  22. .github/workflows/sync.yml: This workflow updates the terraform-provider-jans repository based on changes in a pull request, with a focus on secure Git operations.

  23. .github/workflows/scorecard.yml: The Scorecard supply-chain security analysis workflow demonstrates a commitment to identifying potential security issues

Code Analysis

We ran 9 analyzers against 30 files and 0 analyzers had findings. 9 analyzers had no findings.

View PR in the DryRun Dashboard.

dryrunsecurity[bot] avatar Jul 17 '24 07:07 dryrunsecurity[bot]