SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
13aa20ffa4
littleshop/LittleShop/Services/BTCPayServerService.cs
SysAdmin d343037bbd Security: Fix critical vulnerabilities and implement security hardening 
CRITICAL SECURITY FIXES:
- Fixed certificate validation bypass vulnerability in BTCPayServerService
  * Removed unsafe ServerCertificateCustomValidationCallback
  * Added environment-specific SSL configuration
  * Production now enforces proper SSL validation

- Fixed overly permissive CORS policy
  * Replaced AllowAnyOrigin() with specific trusted origins
  * Created separate CORS policies for Development/Production/API
  * Configured from appsettings for environment-specific control

- Implemented CSRF protection across admin panel
  * Added [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions
  * Protected 10 admin controllers with anti-forgery tokens
  * Prevents Cross-Site Request Forgery attacks

CONFIGURATION IMPROVEMENTS:
- Created appsettings.Development.json for dev-specific settings
- Added Security:AllowInsecureSSL flag (Development only)
- Added CORS:AllowedOrigins configuration arrays
- Created comprehensive security roadmap (ROADMAP.md)

ALSO FIXED:
- TeleBot syntax errors (Program.cs, MessageFormatter.cs)
- Added enterprise-full-stack-developer output style

Impact: All Phase 1 critical security vulnerabilities resolved
Status: Ready for security review and deployment preparation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-19 11:56:12 +01:00

181 lines
7.0 KiB
C#
Raw Blame History

using BTCPayServer.Client;
using BTCPayServer.Client.Models;
using LittleShop.Enums;
using Newtonsoft.Json.Linq;
namespace LittleShop.Services;
public interface IBTCPayServerService
{
Task<string> CreateInvoiceAsync(decimal amount, CryptoCurrency currency, string orderId, string? description = null);
Task<InvoiceData?> GetInvoiceAsync(string invoiceId);
Task<bool> ValidateWebhookAsync(string payload, string signature);
}
public class BTCPayServerService : IBTCPayServerService
{
private readonly BTCPayServerClient _client;
private readonly IConfiguration _configuration;
private readonly ILogger<BTCPayServerService> _logger;
private readonly string _storeId;
private readonly string _webhookSecret;
private readonly string _baseUrl;
public BTCPayServerService(IConfiguration configuration, ILogger<BTCPayServerService> logger)
{
_configuration = configuration;
_logger = logger;
_baseUrl = _configuration["BTCPayServer:BaseUrl"] ?? throw new ArgumentException("BTCPayServer:BaseUrl not configured");
var apiKey = _configuration["BTCPayServer:ApiKey"] ?? throw new ArgumentException("BTCPayServer:ApiKey not configured");
_storeId = _configuration["BTCPayServer:StoreId"] ?? throw new ArgumentException("BTCPayServer:StoreId not configured");
_webhookSecret = _configuration["BTCPayServer:WebhookSecret"] ?? "";
_logger.LogInformation("Initializing BTCPay Server connection to {BaseUrl} with Store ID: {StoreId}", _baseUrl, _storeId);
// Create HttpClient with proper SSL validation
var httpClientHandler = new HttpClientHandler();
// Only allow insecure SSL in development mode with explicit configuration
var allowInsecureSSL = _configuration.GetValue<bool>("Security:AllowInsecureSSL", false);
if (allowInsecureSSL)
{
var environment = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT");
if (environment == "Development")
{
_logger.LogWarning("SECURITY WARNING: SSL certificate validation is disabled for development. This should NEVER be used in production!");
httpClientHandler.ServerCertificateCustomValidationCallback = (message, cert, chain, errors) => true;
}
else
{
_logger.LogError("Attempted to disable SSL certificate validation in non-development environment. This is not allowed.");
throw new InvalidOperationException("SSL certificate validation cannot be disabled in production environments");
}
}
var httpClient = new HttpClient(httpClientHandler);
_client = new BTCPayServerClient(new Uri(_baseUrl), apiKey, httpClient);
}
public async Task<string> CreateInvoiceAsync(decimal amount, CryptoCurrency currency, string orderId, string? description = null)
{
var paymentMethod = GetPaymentMethod(currency);
var metadata = new JObject
{
["orderId"] = orderId,
["requestedCurrency"] = currency.ToString(),
["paymentMethod"] = paymentMethod
};
if (!string.IsNullOrEmpty(description))
{
metadata["itemDesc"] = description;
}
// Create invoice in GBP (fiat) - BTCPay will handle crypto conversion
var request = new CreateInvoiceRequest
{
Amount = amount,
Currency = "GBP", // Always use fiat currency for the amount
Metadata = metadata,
Checkout = new CreateInvoiceRequest.CheckoutOptions
{
Expiration = TimeSpan.FromHours(24),
PaymentMethods = new[] { paymentMethod }, // Specify which crypto to accept
DefaultPaymentMethod = paymentMethod
}
};
try
{
_logger.LogDebug("Creating BTCPay invoice - Amount: {Amount} GBP, Payment Method: {PaymentMethod}, Order: {OrderId}",
amount, paymentMethod, orderId);
var invoice = await _client.CreateInvoice(_storeId, request);
_logger.LogInformation("✅ Created BTCPay invoice {InvoiceId} for Order {OrderId} - Amount: {Amount} GBP, Method: {PaymentMethod}, Checkout: {CheckoutLink}",
invoice.Id, orderId, amount, paymentMethod, invoice.CheckoutLink);
return invoice.Id;
}
catch (Exception ex)
{
_logger.LogError(ex, "❌ Failed to create BTCPay invoice - Amount: {Amount} GBP, Method: {PaymentMethod}, Store: {StoreId}, BaseUrl: {BaseUrl}",
amount, paymentMethod, _storeId, _baseUrl);
// Always throw - never generate fake invoices
throw;
}
}
public async Task<InvoiceData?> GetInvoiceAsync(string invoiceId)
{
try
{
return await _client.GetInvoice(_storeId, invoiceId);
}
catch
{
return null;
}
}
public Task<bool> ValidateWebhookAsync(string payload, string signature)
{
try
{
// BTCPay Server uses HMAC-SHA256 with format "sha256=<hex>"
if (!signature.StartsWith("sha256="))
{
return Task.FromResult(false);
}
var expectedHash = signature.Substring(7); // Remove "sha256=" prefix
var secretBytes = System.Text.Encoding.UTF8.GetBytes(_webhookSecret);
var payloadBytes = System.Text.Encoding.UTF8.GetBytes(payload);
using var hmac = new System.Security.Cryptography.HMACSHA256(secretBytes);
var computedHash = hmac.ComputeHash(payloadBytes);
var computedHashHex = Convert.ToHexString(computedHash).ToLowerInvariant();
return Task.FromResult(expectedHash.Equals(computedHashHex, StringComparison.OrdinalIgnoreCase));
}
catch
{
return Task.FromResult(false);
}
}
private static string GetCurrencyCode(CryptoCurrency currency)
{
return currency switch
{
CryptoCurrency.BTC => "BTC",
CryptoCurrency.XMR => "XMR",
CryptoCurrency.USDT => "USDT",
CryptoCurrency.LTC => "LTC",
CryptoCurrency.ETH => "ETH",
CryptoCurrency.ZEC => "ZEC",
CryptoCurrency.DASH => "DASH",
CryptoCurrency.DOGE => "DOGE",
_ => "BTC"
};
}
private static string GetPaymentMethod(CryptoCurrency currency)
{
return currency switch
{
CryptoCurrency.BTC => "BTC",
CryptoCurrency.XMR => "XMR",
CryptoCurrency.USDT => "USDT_ETH", // USDT on Ethereum
CryptoCurrency.LTC => "LTC",
CryptoCurrency.ETH => "ETH",
CryptoCurrency.ZEC => "ZEC",
CryptoCurrency.DASH => "DASH",
CryptoCurrency.DOGE => "DOGE",
_ => "BTC"
};
}
}
Reference in New Issue View Git Blame Copy Permalink