SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
57 Commits 2 Branches 0 Tags 334 MiB
96125d6042
Commit Graph

4 Commits

Author SHA1 Message Date
SysAdmin
96125d6042 Add explicit antiforgery configuration and better error handling for UpdateStatus 2025-09-24 16:49:21 +01:00
SysAdmin
622bdcf111 🔒 SECURITY: Emergency fixes and hardening 
EMERGENCY FIXES:
 DELETE MockSilverPayService.cs - removed fake payment system
 REMOVE mock service registration - no fake payments possible
 GENERATE new JWT secret - replaced hardcoded key
 FIX HttpClient disposal - proper resource management

SECURITY HARDENING:
 ADD production guards - prevent mock services in production
 CREATE environment configs - separate dev/prod settings
 ADD config validation - fail fast on misconfiguration

IMPACT:
- Mock payment system completely eliminated
- JWT authentication now uses secure keys
- Production deployment now validated on startup
- Resource leaks fixed in TeleBot currency API

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-09-22 05:45:49 +01:00
SysAdmin
553088390e Remove BTCPay completely, integrate SilverPAY only, configure TeleBot with real token 
- Removed all BTCPay references from services and configuration
- Implemented SilverPAY as sole payment provider (no fallback)
- Fixed JWT authentication with proper key length (256+ bits)
- Added UsersController with full CRUD operations
- Updated User model with Email and Role properties
- Configured TeleBot with real Telegram bot token
- Fixed launchSettings.json with JWT environment variable
- E2E tests passing for authentication, catalog, orders
- Payment creation pending SilverPAY server fix

🤖 Generated with Claude Code

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-09-20 19:22:29 +01:00
SysAdmin
d343037bbd Security: Fix critical vulnerabilities and implement security hardening 
CRITICAL SECURITY FIXES:
- Fixed certificate validation bypass vulnerability in BTCPayServerService
  * Removed unsafe ServerCertificateCustomValidationCallback
  * Added environment-specific SSL configuration
  * Production now enforces proper SSL validation

- Fixed overly permissive CORS policy
  * Replaced AllowAnyOrigin() with specific trusted origins
  * Created separate CORS policies for Development/Production/API
  * Configured from appsettings for environment-specific control

- Implemented CSRF protection across admin panel
  * Added [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions
  * Protected 10 admin controllers with anti-forgery tokens
  * Prevents Cross-Site Request Forgery attacks

CONFIGURATION IMPROVEMENTS:
- Created appsettings.Development.json for dev-specific settings
- Added Security:AllowInsecureSSL flag (Development only)
- Added CORS:AllowedOrigins configuration arrays
- Created comprehensive security roadmap (ROADMAP.md)

ALSO FIXED:
- TeleBot syntax errors (Program.cs, MessageFormatter.cs)
- Added enterprise-full-stack-developer output style

Impact: All Phase 1 critical security vulnerabilities resolved
Status: Ready for security review and deployment preparation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
 2025-09-19 11:56:12 +01:00