SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
feature/mobile-responsive-ui-and-variants
littleshop/PUSH_NOTIFICATION_SECURITY.md
SysAdmin a2247d7c02
Some checks failed
Build and Deploy LittleShop / Build TeleBot Docker Image (push) Failing after 11s
Details
Build and Deploy LittleShop / Build LittleShop Docker Image (push) Failing after 15s
Details
Build and Deploy LittleShop / Deploy to Production VPS (Manual Only) (push) Has been skipped
Details
Build and Deploy LittleShop / Deploy to Pre-Production (CT109) (push) Has been skipped
Details
feat: Add customer management, payments, and push notifications with security enhancements 
Major Feature Additions:
- Customer management: Full CRUD with data export and privacy compliance
- Payment management: Centralized payment tracking and administration
- Push notification subscriptions: Manage and track web push subscriptions

Security Enhancements:
- IP whitelist middleware for administrative endpoints
- Data retention service with configurable policies
- Enhanced push notification security documentation
- Security fixes progress tracking (2025-11-14)

UI/UX Improvements:
- Enhanced navigation with improved mobile responsiveness
- Updated admin dashboard with order status counts
- Improved product CRUD forms
- New customer and payment management interfaces

Backend Improvements:
- Extended customer service with data export capabilities
- Enhanced order service with status count queries
- Improved crypto payment service with better error handling
- Updated validators and configuration

Documentation:
- DEPLOYMENT_NGINX_GUIDE.md: Nginx deployment instructions
- IP_STORAGE_ANALYSIS.md: IP storage security analysis
- PUSH_NOTIFICATION_SECURITY.md: Push notification security guide
- UI_UX_IMPROVEMENT_PLAN.md: Planned UI/UX enhancements
- UI_UX_IMPROVEMENTS_COMPLETED.md: Completed improvements

Cleanup:
- Removed temporary database WAL files
- Removed stale commit message file

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-16 19:33:02 +00:00

220 lines
7.7 KiB
Markdown
Raw Permalink Blame History

# Push Notification Endpoint Security Analysis
## Current Implementation Status: ✅ SECURE
After thorough analysis, the push notification endpoints are **already properly secured** with appropriate authentication and authorization. The concern about "endpoint isolation" is actually a **deployment architecture question**, not a code security issue.
## Endpoint Security Breakdown
### 🌐 Public Endpoints (Internet-Accessible - Required for Web Push)
These endpoints MUST be accessible from the internet for browser push notifications to work:
| Endpoint | Method | Auth | Purpose | Security Notes |
|----------|--------|------|---------|----------------|
| `/api/push/vapid-key` | GET | None | Returns VAPID public key | ✅ Safe - public key is meant to be public |
| `/api/push/subscribe/customer` | POST | None | Customer subscription | ✅ Safe - requires `customerId`, no admin access |
| `/api/push/unsubscribe` | POST | None | Unsubscribe by endpoint | ✅ Safe - only requires endpoint URL |
**Why these are safe:**
- VAPID public key is designed to be public (it's in the name!)
- Customer subscription requires a valid `customerId` and doesn't grant admin access
- Unsubscribe only allows removing a subscription, no data leakage
### 🔒 Admin-Only Endpoints (LAN-Only Recommended)
These endpoints require Admin authentication and should be restricted to LAN:
| Endpoint | Method | Auth | Purpose |
|----------|--------|------|---------|
| `/api/push/subscribe` | POST | Admin + Cookie | Admin user subscription |
| `/api/push/test` | POST | Admin + Cookie | Send test notification |
| `/api/push/broadcast` | POST | Admin + Cookie | Broadcast to all users |
| `/api/push/subscriptions` | GET | Admin + Cookie | View all subscriptions |
| `/api/push/cleanup` | POST | Admin + Cookie | Cleanup expired subscriptions |
| `/api/push/telebot/status` | GET | Admin + Cookie | TeleBot service status |
| `/api/push/telebot/test` | POST | Admin + Cookie | Send TeleBot test message |
**Protection:**
- All require `[Authorize(AuthenticationSchemes = "Cookies", Roles = "Admin")]`
- Cookie authentication prevents CSRF
- Role-based authorization ensures only admins can access
### 🏢 Admin Panel (LAN-Only)
All routes under `/Admin/*` require Cookie authentication + Admin role:
- `/Admin/Dashboard`
- `/Admin/Products`
- `/Admin/Orders`
- `/Admin/Customers`
- `/Admin/PushSubscriptions`
- etc.
## Deployment Architecture Recommendations
### Option 1: Reverse Proxy Isolation (Recommended)
Use nginx/Caddy/Traefik to separate public and internal access:
```nginx
# nginx configuration example
server {
listen 443 ssl;
server_name api.littleshop.com;
# Public push notification endpoints (accessible from internet)
location ~ ^/api/push/(vapid-key|subscribe/customer|unsubscribe)$ {
proxy_pass http://littleshop-backend:5000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
# Block all other API endpoints from internet
location /api/ {
deny all;
return 403 "Admin API access restricted to LAN";
}
# Block admin panel from internet
location /Admin/ {
deny all;
return 403 "Admin panel access restricted to LAN";
}
}
# Internal server (LAN-only)
server {
listen 443 ssl;
server_name admin.littleshop.local;
# Allow only from LAN
allow 10.0.0.0/8;
allow 172.16.0.0/12;
allow 192.168.0.0/16;
deny all;
# Full access to everything
location / {
proxy_pass http://littleshop-backend:5000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
```
### Option 2: IP Whitelist Middleware (Code-Level)
Add IP restriction middleware for admin endpoints:
```csharp
// In Program.cs
app.UseWhen(context => context.Request.Path.StartsWithSegments("/Admin") ||
context.Request.Path.StartsWithSegments("/api/push") &&
!context.Request.Path.StartsWithSegments("/api/push/vapid-key") &&
!context.Request.Path.StartsWithSegments("/api/push/subscribe/customer") &&
!context.Request.Path.StartsWithSegments("/api/push/unsubscribe"),
appBuilder => {
appBuilder.UseMiddleware<IPWhitelistMiddleware>();
});
```
### Option 3: Separate Microservices (Advanced)
Split into two services:
1. **Public API** - Only public endpoints (`/api/push/vapid-key`, `/api/push/subscribe/customer`)
2. **Admin API** - Everything else (admin panel + protected endpoints)
## Current Production Deployment
Based on `CLAUDE.md`, production is deployed to:
- **Server**: srv1002428.hstgr.cloud (31.97.57.205)
- **Admin URL**: https://admin.dark.side (via Nginx Proxy Manager)
- **Container**: `littleshop` on `littleshop_littleshop-network`
### Recommended nginx Configuration for Production
```nginx
# Public-facing (internet accessible)
map $request_uri $is_public_push_endpoint {
~^/api/push/vapid-key$ 1;
~^/api/push/subscribe/customer 1;
~^/api/push/unsubscribe$ 1;
default 0;
}
server {
listen 443 ssl;
server_name api.littleshop.com;
# Rate limiting for public endpoints
limit_req_zone $binary_remote_addr zone=push_limit:10m rate=10r/m;
location / {
# Check if this is a public push endpoint
if ($is_public_push_endpoint = 0) {
return 403 "Access restricted to admin network";
}
limit_req zone=push_limit burst=5;
proxy_pass http://littleshop:5000;
proxy_set_header X-Real-IP $remote_addr;
}
}
# Admin panel (LAN-only)
server {
listen 443 ssl;
server_name admin.dark.side;
# LAN-only restriction
allow 10.0.0.0/8;
allow 192.168.0.0/16;
deny all;
location / {
proxy_pass http://littleshop:5000;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
```
## Security Audit Results
**Authentication**: Proper use of Cookie auth + JWT for different use cases
**Authorization**: Role-based access control (Admin role) on sensitive endpoints
**CSRF Protection**: Cookie authentication includes antiforgery tokens
**Rate Limiting**: ASP.NET Core rate limiting configured in Program.cs
**Input Validation**: DTOs with validation attributes
**Public Key Exposure**: VAPID public key is MEANT to be public
**No Sensitive Data Leakage**: Subscription endpoints don't expose admin data
## Recommendations Summary
### Immediate Actions (Deployment)
1.**Use reverse proxy** to separate public push endpoints from admin panel
2.**Add IP whitelist** for admin panel access (LAN-only)
3.**Monitor logs** for unauthorized access attempts
4.**Document** the network architecture for operations team
### Optional Enhancements (Code)
1. Add IP whitelist middleware as additional layer of defense
2. Add request logging for all push notification endpoints
3. Add admin notification for failed authentication attempts
4. Consider VAPID key rotation mechanism
### Not Recommended (Would Break Functionality)
- ❌ Restricting `/api/push/vapid-key` - Breaks browser push subscription
- ❌ Adding auth to `/api/push/subscribe/customer` - Breaks customer notifications
- ❌ Removing unsubscribe endpoint - Violates push notification best practices
## Conclusion
The current implementation is **already secure by design**. The proper solution is **deployment architecture** using reverse proxy rules to:
1. Allow specific public push endpoints from internet
2. Restrict admin panel to LAN
3. Restrict admin API endpoints to LAN
4. Implement rate limiting on public endpoints
No code changes are required unless you want to add optional IP whitelist middleware as defense-in-depth.
Reference in New Issue View Git Blame Copy Permalink