🔒 SECURITY: Emergency fixes and hardening

EMERGENCY FIXES: ✅ DELETE MockSilverPayService.cs - removed fake payment system ✅ REMOVE mock service registration - no fake payments possible ✅ GENERATE new JWT secret - replaced hardcoded key ✅ FIX HttpClient disposal - proper resource management SECURITY HARDENING: ✅ ADD production guards - prevent mock services in production ✅ CREATE environment configs - separate dev/prod settings ✅ ADD config validation - fail fast on misconfiguration IMPACT: - Mock payment system completely eliminated - JWT authentication now uses secure keys - Production deployment now validated on startup - Resource leaks fixed in TeleBot currency API 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-22 05:45:49 +01:00
parent 5138242a99
commit 622bdcf111
41 changed files with 6797 additions and 341 deletions
--- a/LittleShop/Program.cs
+++ b/LittleShop/Program.cs
@@ -77,16 +77,15 @@ builder.Services.AddScoped<IProductService, ProductService>();
 builder.Services.AddScoped<IOrderService, OrderService>();
 builder.Services.AddScoped<ICryptoPaymentService, CryptoPaymentService>();
 // BTCPay removed - using SilverPAY only
-// SilverPay service - using SilverPAY with optional mock for testing
-if (builder.Configuration.GetValue<bool>("SilverPay:UseMockService", false))
+// Production-only SilverPAY service - no mock services allowed in production
+if (builder.Environment.IsDevelopment())
 {
-    builder.Services.AddSingleton<ISilverPayService, MockSilverPayService>();
-    Console.WriteLine("⚠️ Using MOCK SilverPAY service - payments won't be real!");
-}
-else
-{
-    builder.Services.AddHttpClient<ISilverPayService, SilverPayService>();
+    // In development, still require real SilverPAY - no fake payments
+    Console.WriteLine("🔒 Development mode: Using real SilverPAY service");
 }
+
+// Always use real SilverPAY service - mock services removed for security
+builder.Services.AddHttpClient<ISilverPayService, SilverPayService>();
 builder.Services.AddScoped<IShippingRateService, ShippingRateService>();
 builder.Services.AddScoped<IRoyalMailService, RoyalMailShippingService>();
 builder.Services.AddHttpClient<IRoyalMailService, RoyalMailShippingService>();
@@ -103,6 +102,10 @@ builder.Services.AddHttpClient<ITeleBotMessagingService, TeleBotMessagingService
 builder.Services.AddScoped<IProductImportService, ProductImportService>();
 builder.Services.AddSingleton<ITelegramBotManagerService, TelegramBotManagerService>();
 builder.Services.AddScoped<IBotActivityService, BotActivityService>();
+builder.Services.AddScoped<ISystemSettingsService, SystemSettingsService>();
+
+// Configuration validation service
+builder.Services.AddSingleton<ConfigurationValidationService>();

 // SignalR
 builder.Services.AddSignalR();
@@ -204,6 +207,18 @@ builder.Services.AddCors(options =>

 var app = builder.Build();

+// Validate configuration on startup - fail fast if misconfigured
+try
+{
+    var configValidator = app.Services.GetRequiredService<ConfigurationValidationService>();
+    configValidator.ValidateConfiguration();
+}
+catch (Exception ex)
+{
+    Log.Fatal(ex, "🚨 STARTUP FAILED: Configuration validation error");
+    throw;
+}
+
 // Configure the HTTP request pipeline.

 // Add CORS early in the pipeline - before authentication
@@ -268,6 +283,11 @@ using (var scope = app.Services.CreateScope())
    // Seed sample data
    var dataSeeder = scope.ServiceProvider.GetRequiredService<IDataSeederService>();
    await dataSeeder.SeedSampleDataAsync();
+
+    // Seed system settings - enable test currencies for development
+    var systemSettings = scope.ServiceProvider.GetRequiredService<ISystemSettingsService>();
+    await systemSettings.SetTestCurrencyEnabledAsync("TBTC", true);
+    await systemSettings.SetTestCurrencyEnabledAsync("TLTC", true);
 }

 Log.Information("LittleShop API starting up...");