🔒 SECURITY: Emergency fixes and hardening
EMERGENCY FIXES: ✅ DELETE MockSilverPayService.cs - removed fake payment system ✅ REMOVE mock service registration - no fake payments possible ✅ GENERATE new JWT secret - replaced hardcoded key ✅ FIX HttpClient disposal - proper resource management SECURITY HARDENING: ✅ ADD production guards - prevent mock services in production ✅ CREATE environment configs - separate dev/prod settings ✅ ADD config validation - fail fast on misconfiguration IMPACT: - Mock payment system completely eliminated - JWT authentication now uses secure keys - Production deployment now validated on startup - Resource leaks fixed in TeleBot currency API 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
@@ -655,9 +655,8 @@ namespace TeleBot.Handlers
|
||||
// Store order ID for payment
|
||||
session.TempData["current_order_id"] = order.Id;
|
||||
|
||||
// Show payment options - only safe currencies with BTCPay Server support
|
||||
var currencies = _configuration.GetSection("Cryptocurrencies").Get<List<string>>()
|
||||
?? new List<string> { "BTC", "XMR", "LTC", "DASH" };
|
||||
// Show payment options - get currencies dynamically from SilverPay support + admin settings
|
||||
var currencies = await _shopService.GetAvailableCurrenciesAsync();
|
||||
|
||||
await bot.EditMessageTextAsync(
|
||||
message.Chat.Id,
|
||||
|
||||
@@ -27,6 +27,7 @@ namespace TeleBot.Services
|
||||
Task<bool> MarkMessageAsFailedAsync(Guid messageId, string reason);
|
||||
Task<bool> SendCustomerMessageAsync(long telegramUserId, string telegramUsername, string displayName, string firstName, string lastName, string subject, string content);
|
||||
Task<List<CustomerMessage>?> GetCustomerConversationAsync(long telegramUserId, string telegramUsername, string displayName, string firstName, string lastName);
|
||||
Task<List<string>> GetAvailableCurrenciesAsync();
|
||||
}
|
||||
|
||||
public class LittleShopService : ILittleShopService
|
||||
@@ -586,5 +587,43 @@ namespace TeleBot.Services
|
||||
return null;
|
||||
}
|
||||
}
|
||||
|
||||
public async Task<List<string>> GetAvailableCurrenciesAsync()
|
||||
{
|
||||
try
|
||||
{
|
||||
if (!await AuthenticateAsync())
|
||||
{
|
||||
_logger.LogWarning("Authentication failed when getting available currencies");
|
||||
return new List<string> { "BTC", "ETH" }; // Safe fallback
|
||||
}
|
||||
|
||||
try
|
||||
{
|
||||
using var httpClient = new HttpClient();
|
||||
httpClient.Timeout = TimeSpan.FromSeconds(10); // Add timeout
|
||||
var baseUrl = _configuration["LittleShop:BaseUrl"] ?? "http://localhost:5000";
|
||||
var response = await httpClient.GetAsync($"{baseUrl}/api/currency/available");
|
||||
if (response.IsSuccessStatusCode)
|
||||
{
|
||||
var json = await response.Content.ReadAsStringAsync();
|
||||
var currencies = System.Text.Json.JsonSerializer.Deserialize<List<string>>(json);
|
||||
return currencies ?? new List<string> { "BTC", "ETH" };
|
||||
}
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
_logger.LogWarning(ex, "Failed to get available currencies via HTTP");
|
||||
}
|
||||
|
||||
return new List<string> { "BTC", "ETH" };
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
_logger.LogError(ex, "Error getting available currencies from API");
|
||||
// Return safe fallback currencies
|
||||
return new List<string> { "BTC", "ETH" };
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -20,7 +20,7 @@
|
||||
"Comment": "Optional secret key for webhook authentication"
|
||||
},
|
||||
"LittleShop": {
|
||||
"ApiUrl": "http://localhost:8080",
|
||||
"ApiUrl": "http://localhost:5000",
|
||||
"OnionUrl": "",
|
||||
"Username": "admin",
|
||||
"Password": "admin",
|
||||
|
||||
Reference in New Issue
Block a user