添加管理员页面而没有完整的用户管理 [英] Add admin page without full fledged user management

问题描述

我正在使用ASP.NET Core MVC 2.0构建一个相当简单的网站，该网站或多或少是一个图片库，仅对我而言.到目前为止，我还没有使用任何数据库.它只是一个带有元数据和图像文件本身的json文件.

I am building a rather simple site with ASP.NET Core MVC 2.0 that is more or less an image gallery, just for me. I am not using any database so far. It is just a json file with metadata and the image files itself.

现在，该网站应该获得一个隐藏的管理页面，我(只有我)可以在该页面上上传新图片.

Now this site is supposed to get a hidden admin page where I (and only I) can upload new pictures.

什么是添加此管理页面而又无需向网站引入全面的用户管理的简单但仍安全的方法?我想避免向该站点添加数据库和实体框架等-只有一个用户.

What would be a simple but still secure way to add this admin page without having to introduce a full fledged user management to the site? I'd like to avoid to add a database and entity framework etc. to the site - there will only be one user.

换句话说，在只有一个用户(即管理员)的情况下，添加用户管理的安全而简单的方法是什么.

In other words, what is a secure and simple way to add user management where there are is only one user that authenticates: Me, the admin.

推荐答案

将所需用户名/密码的哈希版本存储在appsettings.json中，然后重新哈希通过登录屏幕提供的值并进行比较.

Store a hashed version of your desired username/password in the appsettings.json and then rehash the values provided through the login screen and compare them.

这是一个如何完成登录的示例.这是从Asp.Net Identity中存在的默认哈希值引导出来的，但是您可以使用任何哈希函数.

Here's an example of how logging in could be accomplished. This bootstraps off of the default hasher present in Asp.Net Identity but you could use any hashing function.

如果您想从应用程序中重置哈希密码而不需要进入设置文件，则可能还需要创建其他一些帮助程序.

You might want to create some other helpers too in case you want to reset the hashed password from your application versus having to go into the settings file.

appsettings.json

{
    ...
    "LoginCredentials": {
        "UsernameHash": "AQAAAAEAACcQAAAAENmv+riLvtTIa5wafXxzEX4rMSMXwVzG00q4jZKBI7Lx/oe2PFdqW1r521HBsL567g==",
        "PasswordHash": "AQAAAAEAACcQAAAAEKwwppiixEQM9QO7hOXcoXXgIvHKs9QHRz1k0lAZ3noVwID2lv+I+Dwc9OheqDGFBA=="
    }
}

Startup.cs

 public void ConfigureServices(IServiceCollection services)
 {
    //Assuming services.AddIdentity<...>(...) is not added as a service
    services.Configure<LoginCredentialOptions>(Configuration.GetSection("LoginCredentials"));
    services.AddTransient<IPasswordHasher<User>, PasswordHasher<User>>();
    ...
 }

LoginCredentialOptions.cs

public class LoginCredentialOptions
{
    public string UsernameHash { get; set; }

    public string PasswordHash { get; set; }
}

AccountController.cs

...
public async Task<IActionResult> Login([FromServices] IOptions<LoginCredentialOptions> loginCreds, LoginViewModel model, string returnUrl = null)
{
    if (ModelState.IsValid)
    {
        var passwordResult = passwordHasher.VerifyHashedPassword(null, loginCreds.Value.PasswordHash, model.Password);
        var usernameResult = passwordHasher.VerifyHashedPassword(null, loginCreds.Value.UsernameHash, model.Username);

        if (passwordResult == PasswordVerificationResult.Success &&
            usernameResult == PasswordVerificationResult.Success)
        {
            //Create identity cookie and sign in

            RedirectToAction(nameof(Index), "Home");
        }
    }

    // If we got this far, something failed, redisplay form
    return View(model);
}

这篇关于添加管理员页面而没有完整的用户管理的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！