A secure password management system built as a RESTful API with ASP.NET Core.
This repository contains the source code for the Password Manager API, a project focused on providing a secure and reliable way to manage credentials with role-based access control and vault sharing.
- Docker & Docker Compose
git clone https://github.com/pop9459/DataProcessing-PassMan
cd DataProcessing-PassMan
docker compose up -dNo .env file needed β all defaults are built in.
- API: http://localhost:5246/
- Swagger: http://localhost:5246/swagger
- GUI: http://localhost:5247/ (Blazor frontend β incomplete, not part of the graded rubric)
| Password | Role | |
|---|---|---|
| admin@passman.test | Admin123! | Admin |
| auditor@passman.test | Audit123! | SecurityAuditor |
| owner@passman.test | Owner123! | VaultOwner |
| reader@passman.test | Reader123! | VaultReader |
Log in via POST /api/auth/login or the Swagger UI to get a JWT, then use it to explore any endpoint.
The POST /api/auth/google endpoint exists in the codebase but is out of scope for this submission. Enabling it requires registering and maintaining an active Google Cloud OAuth project, which we do not provide. All graded functionality uses email/password login β no Google credentials are needed at any point.
Docker is the only supported and guaranteed path. docker compose up -d gives you a fully working API against a real MySQL instance with no other dependencies.
Running the API with the dotnet CLI is possible but not recommended:
- Requires exactly .NET 10.0 SDK installed
- Requires a running MySQL instance configured separately
- The Blazor GUI (
PassManGUI) is incomplete and does not work reliably - Google OAuth does not work locally without a configured Google Cloud project
If you need to use the dotnet CLI for the API only:
dotnet run --project PassManAPIDo not bother running PassManGUI β it is out of scope and non-functional.
- Install MySQL Workbench
- Open database menu: Ctrl+J
- Enter connection details:
- Host:
localhost - Port:
3306 - User:
root - Password:
hihi
- Host:
- Token-based: JWT Bearer tokens for API authentication
- Stateless tokens: no server-side session state; each request is self-contained
- Google OAuth: endpoint exists (
POST /api/auth/google) but is out of scope β requires a Google Cloud project we don't maintain
π See docs/JWT.md β where tokens are issued, the claims they carry, how to use the Swagger Authorize button, and configuration.
The API seeds role-based permissions into MySQL on startup (see PassManAPI/Data/DbSeeder.cs):
- Admin: Full system access (all permissions)
- SecurityAuditor:
audit.read,vault.read,credential.read,system.health - VaultOwner: Manage own vaults/credentials (
vault.*,credential.*,tag.*) - VaultReader: Read-only access (
vault.read,credential.read,tag.read)
Permissions are stored as Identity role claims with claim type permission. Update PassManAPI/Models/Permissions.cs to add new permissions.
- Backend: ASP.NET Core 10 Web API
- Database: MySQL with Entity Framework Core
- Authentication: JWT Bearer
- Testing: xUnit with FluentAssertions
- API Docs: Swagger/OpenAPI
- Frontend: Blazor Server (incomplete, out of scope for grading)
- Constraints: PK/FK, unique indexes, cascading deletes
- View:
vwUserVaultAccessfor vault access queries - Stored Procedures:
sp_AddVaultShare: Validated vault sharingsp_LogAudit: Centralized audit logging
- Triggers:
trg_Credentials_SetUpdatedAtfor automatic timestamp updates - Isolation:
READ COMMITTEDfor high-concurrency operations
PassManAPI/
βββ Controllers/ # API endpoints
βββ Models/ # Domain entities
βββ Managers/ # Business logic layer
βββ Data/ # EF Core context, migrations, seeder, DB artifacts
βββ Services/ # JWT, encryption, TOTP, breach-check (registered, not yet controller-wired)
βββ Validators/ # FluentValidation validators
βββ DTOs/ # Request/response models
βββ Middleware/ # Exception handler, auth error body
PassManAPI.Tests/ # xUnit integration tests (123 passing, SQLite in-memory)
PassManGUI/ # Blazor frontend β incomplete, not part of the graded rubric
βββ Components/ # Blazor pages and layout
βββ Services/ # API client services
docs/ # All project documentation
scripts/ # Postman collection + DB verification SQL
diagrams/ # Architecture and ER diagrams
POST /api/auth/register- Register new userPOST /api/auth/login- Login, returns JWTPOST /api/auth/google- Google OAuth login (out of scope β requires active Google Cloud project)GET /api/auth/me- Get current user profilePUT /api/auth/me- Update current user profileDELETE /api/auth/me- Delete accountGET /api/auth/permissions- List permissions for current userPOST /api/auth/assign-role- Assign role to user (Admin only)
GET /api/vaults- List user's vaultsPOST /api/vaults- Create vaultGET /api/vaults/{id}- Get vault detailsPUT /api/vaults/{id}- Update vaultDELETE /api/vaults/{id}- Soft-delete vaultGET /api/vaults/my-access- List all vaults the user can access (owned + shared)
GET /api/vaults/{vaultId}/credentials- List credentials in a vaultPOST /api/vaults/{vaultId}/credentials- Create credentialGET /api/credentials/{id}- Get credential metadataGET /api/credentials/{id}/password- Get decrypted passwordPUT /api/credentials/{id}- Update credential metadataPUT /api/credentials/{id}/password- Update credential passwordDELETE /api/credentials/{id}- Delete credentialGET /api/credentials/{id}/tags- List tags on a credentialPUT /api/credentials/{id}/tags- Replace all tags on a credentialPOST /api/credentials/{id}/tags/{tagId}- Add a tag to a credentialDELETE /api/credentials/{id}/tags/{tagId}- Remove a tag from a credential
POST /api/vaults/{vaultId}/share- Share vault with a userDELETE /api/vaults/{vaultId}/share/{userId}- Revoke a user's sharePOST /api/invitations- Create invitationGET /api/invitations- List pending invitationsPOST /api/invitations/{token}/accept- Accept invitation by tokenDELETE /api/invitations/{id}- Revoke invitation
GET /api/user- List all users (Admin only)GET /api/user/{id}- Get user by IDPUT /api/user/{id}- Update user profileDELETE /api/user/{id}- Delete user (Admin only)GET /api/user/{id}/vaults- List a user's vaults (Admin only)GET /api/user/{id}/tags- List a user's tags (Admin only)
GET /api/tags- List all tagsGET /api/tags/{id}- Get tag by IDPOST /api/tags- Create tagPUT /api/tags/{id}- Update tagDELETE /api/tags/{id}- Delete tag
GET /api/audit/logs- Paginated audit log (own entries)GET /api/audit/logs/{id}- Get single audit entryGET /api/audit/logs/vault/{vaultId}- Audit log for a vaultGET /api/audit/logs/all- All entries across all users (Admin only)
GET /health- Liveness probe (no auth required)
123 xUnit integration tests (SQLite in-memory) and a Newman collection (full stack, MySQL). Both run in Docker β this is the only supported path. See docs/TESTING.md for details.
# Integration tests
docker compose run --rm test
# E2E tests (Newman)
docker compose --profile e2e up --abort-on-container-exit --scale passman-gui=0Postman desktop is unreliable β see docs/TESTING.md for why. Use Newman (above) instead.
| File | Covers |
|---|---|
| docs/TESTING.md | Running xUnit + Newman tests, test class breakdown |
| docs/BACKUP_RECOVERY.md | Backup strategy, PITR, recovery playbook, downtime prevention |
| docs/VALIDATION.md | All input validation rules (DataAnnotations + FluentValidation) |
| docs/XML.md | JSON + XML content negotiation on every endpoint |
| docs/JWT.md | Token issuance, claims, Swagger auth, configuration |
| docs/ROLES.md | Roles, permission claims, vault share permission levels |
| docs/DATABASE.md | DB account provisioning, least-privilege setup |
| docs/TRANSACTIONS.md | Isolation level choice and justification |
| docs/SystemArchitecture.md | Component overview, DB artifacts (view, SPs, triggers) |
| diagrams/ | ER diagram, class diagram, architecture diagram |
| Swagger UI | http://localhost:5246/swagger |
- JWT authentication with role-based access control
- Vault and credential CRUD with AES-256-GCM encryption (per-credential key wrapped under server master key)
- Vault sharing via invitations with View / Edit / Admin permission levels
- Tag-based credential organization
- Attachment model with cascade delete (upload endpoints not yet wired)
- Full audit log with pagination and filtering
- JSON and XML on every endpoint
- 123 xUnit integration tests + Newman E2E suite
- Update
PassManAPI/Models/Permissions.cs - Restart API - seeder will attach to roles automatically
# Add migration
dotnet ef migrations add MigrationName --project PassManAPI
# Apply migration
dotnet ef database update --project PassManAPI- All code follows C# naming conventions
- Integration tests required for new endpoints
- Swagger documentation auto-generated
This project is for educational purposes as part of a university course.
Data Processing course team @ University