Encrypting the token cache on disk

jmprieur · jmprieur · commit 39afc3cc4d09 · 2018-04-30T14:12:16.000+02:00
(best practice)
diff --git a/TodoListClient/FileCache.cs b/TodoListClient/FileCache.cs
@@ -25,8 +25,9 @@
 //
 //------------------------------------------------------------------------------
 
-using Microsoft.Identity.Client;
 using System.IO;
+using System.Security.Cryptography;
+using Microsoft.Identity.Client;
 
 namespace TodoListClient
 {
@@ -53,7 +54,7 @@ public static TokenCache GetUserCache()
         /// <summary>
         /// Path to the token cache
         /// </summary>
-        public static string CacheFilePath = System.Reflection.Assembly.GetExecutingAssembly().Location + "msalcache.txt";
+        public static readonly string CacheFilePath = System.Reflection.Assembly.GetExecutingAssembly().Location + ".msalcache.bin";
 
         private static readonly object FileLock = new object();
 
@@ -62,7 +63,9 @@ public static void BeforeAccessNotification(TokenCacheNotificationArgs args)
             lock (FileLock)
             {
                 args.TokenCache.Deserialize(File.Exists(CacheFilePath)
-                    ? File.ReadAllBytes(CacheFilePath)
+                    ? ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath),
+                                              null,
+                                              DataProtectionScope.CurrentUser)
                     : null);
             }
         }
@@ -75,12 +78,15 @@ public static void AfterAccessNotification(TokenCacheNotificationArgs args)
                 lock (FileLock)
                 {
                     // reflect changesgs in the persistent store
-                    File.WriteAllBytes(CacheFilePath, args.TokenCache.Serialize());
+                    File.WriteAllBytes(CacheFilePath,
+                                       ProtectedData.Protect(args.TokenCache.Serialize(), 
+                                                             null, 
+                                                             DataProtectionScope.CurrentUser)
+                                      );
                     // once the write operationtakes place restore the HasStateChanged bit to filse
                     args.TokenCache.HasStateChanged = false;
                 }
             }
         }
     }
-
 }

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,9 @@`
`25`	`25`	`//`
`26`	`26`	`//------------------------------------------------------------------------------`
`27`	`27`
`28`		`-using Microsoft.Identity.Client;`
`29`	`28`	`using System.IO;`
	`29`	`+using System.Security.Cryptography;`
	`30`	`+using Microsoft.Identity.Client;`
`30`	`31`
`31`	`32`	`namespace TodoListClient`
`32`	`33`	`{`
`@@ -53,7 +54,7 @@ public static TokenCache GetUserCache()`
`53`	`54`	`/// <summary>`
`54`	`55`	`/// Path to the token cache`
`55`	`56`	`/// </summary>`
`56`		`- public static string CacheFilePath = System.Reflection.Assembly.GetExecutingAssembly().Location + "msalcache.txt";`
	`57`	`+ public static readonly string CacheFilePath = System.Reflection.Assembly.GetExecutingAssembly().Location + ".msalcache.bin";`
`57`	`58`
`58`	`59`	`private static readonly object FileLock = new object();`
`59`	`60`
`@@ -62,7 +63,9 @@ public static void BeforeAccessNotification(TokenCacheNotificationArgs args)`
`62`	`63`	`lock (FileLock)`
`63`	`64`	`{`
`64`	`65`	`args.TokenCache.Deserialize(File.Exists(CacheFilePath)`
`65`		`- ? File.ReadAllBytes(CacheFilePath)`
	`66`	`+ ? ProtectedData.Unprotect(File.ReadAllBytes(CacheFilePath),`
	`67`	`+ null,`
	`68`	`+ DataProtectionScope.CurrentUser)`
`66`	`69`	`: null);`
`67`	`70`	`}`
`68`	`71`	`}`
`@@ -75,12 +78,15 @@ public static void AfterAccessNotification(TokenCacheNotificationArgs args)`
`75`	`78`	`lock (FileLock)`
`76`	`79`	`{`
`77`	`80`	`// reflect changesgs in the persistent store`
`78`		`- File.WriteAllBytes(CacheFilePath, args.TokenCache.Serialize());`
	`81`	`+ File.WriteAllBytes(CacheFilePath,`
	`82`	`+ ProtectedData.Protect(args.TokenCache.Serialize(),`
	`83`	`+ null,`
	`84`	`+ DataProtectionScope.CurrentUser)`
	`85`	`+ );`
`79`	`86`	`// once the write operationtakes place restore the HasStateChanged bit to filse`
`80`	`87`	`args.TokenCache.HasStateChanged = false;`
`81`	`88`	`}`
`82`	`89`	`}`
`83`	`90`	`}`
`84`	`91`	`}`
`85`		`-`
`86`	`92`	`}`