SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2a9039bd7a
littleshop/LittleShop/Program.cs
SysAdmin 2a9039bd7a Fix HTTP 500 on login: Add ForwardedHeaders middleware for proxy support 
- Added UseForwardedHeaders to properly handle X-Forwarded-For and X-Forwarded-Proto
- Fixes anti-forgery token validation when behind nginx proxy
- Resolves HTTP 500 errors on POST requests to login endpoint
2025-09-24 21:53:27 +01:00

316 lines
12 KiB
C#
Raw Blame History

using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.IdentityModel.Tokens;
using System.Text;
using LittleShop.Data;
using LittleShop.Services;
using FluentValidation;
using Serilog;
var builder = WebApplication.CreateBuilder(args);
// Configure Serilog
Log.Logger = new LoggerConfiguration()
.WriteTo.Console()
.WriteTo.File("logs/littleshop.txt", rollingInterval: RollingInterval.Day)
.CreateLogger();
builder.Host.UseSerilog();
// Add services to the container.
builder.Services.AddControllers();
builder.Services.AddControllersWithViews(); // Add MVC for Admin Panel
// Configure Antiforgery
builder.Services.AddAntiforgery(options =>
{
options.HeaderName = "X-CSRF-TOKEN";
options.FormFieldName = "__RequestVerificationToken";
});
// Database
if (builder.Environment.EnvironmentName == "Testing")
{
builder.Services.AddDbContext<LittleShopContext>(options =>
options.UseInMemoryDatabase("InMemoryDbForTesting"));
}
else
{
builder.Services.AddDbContext<LittleShopContext>(options =>
options.UseSqlite(builder.Configuration.GetConnectionString("DefaultConnection")));
}
// Authentication - Cookie for Admin Panel, JWT for API
var jwtKey = builder.Configuration["Jwt:Key"] ?? "ThisIsASuperSecretKeyForJWTAuthenticationThatIsDefinitelyLongerThan32Characters!";
var jwtIssuer = builder.Configuration["Jwt:Issuer"] ?? "LittleShop";
var jwtAudience = builder.Configuration["Jwt:Audience"] ?? "LittleShop";
builder.Services.AddAuthentication("Cookies")
.AddCookie("Cookies", options =>
{
options.LoginPath = "/Admin/Account/Login";
options.LogoutPath = "/Admin/Account/Logout";
options.AccessDeniedPath = "/Admin/Account/AccessDenied";
})
.AddJwtBearer("Bearer", options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = jwtIssuer,
ValidAudience = jwtAudience,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtKey))
};
});
builder.Services.AddAuthorization(options =>
{
options.AddPolicy("AdminOnly", policy =>
policy.RequireAuthenticatedUser()
.RequireRole("Admin")
.AddAuthenticationSchemes("Cookies", "Bearer")); // Support both cookie and JWT
options.AddPolicy("ApiAccess", policy =>
policy.RequireAuthenticatedUser()
.AddAuthenticationSchemes("Bearer")); // JWT only for API access
});
// Services
builder.Services.AddScoped<IAuthService, AuthService>();
builder.Services.AddScoped<ICategoryService, CategoryService>();
builder.Services.AddScoped<IProductService, ProductService>();
builder.Services.AddScoped<IOrderService, OrderService>();
builder.Services.AddScoped<ICryptoPaymentService, CryptoPaymentService>();
// BTCPay removed - using SilverPAY only
// Production-only SilverPAY service - no mock services allowed in production
if (builder.Environment.IsDevelopment())
{
// In development, still require real SilverPAY - no fake payments
Console.WriteLine("🔒 Development mode: Using real SilverPAY service");
}
// Always use real SilverPAY service - mock services removed for security
builder.Services.AddHttpClient<ISilverPayService, SilverPayService>();
builder.Services.AddScoped<IShippingRateService, ShippingRateService>();
builder.Services.AddScoped<IRoyalMailService, RoyalMailShippingService>();
builder.Services.AddHttpClient<IRoyalMailService, RoyalMailShippingService>();
builder.Services.AddScoped<IReviewService, ReviewService>();
builder.Services.AddScoped<IDataSeederService, DataSeederService>();
builder.Services.AddScoped<IBotService, BotService>();
builder.Services.AddScoped<IBotMetricsService, BotMetricsService>();
builder.Services.AddScoped<IBotContactService, BotContactService>();
builder.Services.AddScoped<IMessageDeliveryService, MessageDeliveryService>();
builder.Services.AddScoped<ICustomerService, CustomerService>();
builder.Services.AddScoped<ICustomerMessageService, CustomerMessageService>();
builder.Services.AddScoped<IPushNotificationService, PushNotificationService>();
builder.Services.AddHttpClient<ITeleBotMessagingService, TeleBotMessagingService>();
builder.Services.AddScoped<IProductImportService, ProductImportService>();
builder.Services.AddSingleton<ITelegramBotManagerService, TelegramBotManagerService>();
builder.Services.AddScoped<IBotActivityService, BotActivityService>();
builder.Services.AddScoped<ISystemSettingsService, SystemSettingsService>();
// Configuration validation service
builder.Services.AddSingleton<ConfigurationValidationService>();
// SignalR
builder.Services.AddSignalR();
// Health Checks
builder.Services.AddHealthChecks()
.AddDbContextCheck<LittleShopContext>("database")
.AddCheck("self", () => Microsoft.Extensions.Diagnostics.HealthChecks.HealthCheckResult.Healthy("Application is healthy"));
// Temporarily disabled to use standalone TeleBot with customer orders fix
// builder.Services.AddHostedService<TelegramBotManagerService>();
// AutoMapper
builder.Services.AddAutoMapper(typeof(Program));
// FluentValidation
builder.Services.AddValidatorsFromAssemblyContaining<Program>();
// Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle
builder.Services.AddEndpointsApiExplorer();
builder.Services.AddSwaggerGen(c =>
{
c.SwaggerDoc("v1", new Microsoft.OpenApi.Models.OpenApiInfo
{
Title = "LittleShop API",
Version = "v1",
Description = "A basic online sales system backend with multi-cryptocurrency payment support",
Contact = new Microsoft.OpenApi.Models.OpenApiContact
{
Name = "LittleShop Support"
}
});
// Add JWT authentication to Swagger
c.AddSecurityDefinition("Bearer", new Microsoft.OpenApi.Models.OpenApiSecurityScheme
{
Description = "JWT Authorization header using the Bearer scheme. Enter 'Bearer' [space] and then your token in the text input below.",
Name = "Authorization",
In = Microsoft.OpenApi.Models.ParameterLocation.Header,
Type = Microsoft.OpenApi.Models.SecuritySchemeType.ApiKey,
Scheme = "Bearer"
});
c.AddSecurityRequirement(new Microsoft.OpenApi.Models.OpenApiSecurityRequirement
{
{
new Microsoft.OpenApi.Models.OpenApiSecurityScheme
{
Reference = new Microsoft.OpenApi.Models.OpenApiReference
{
Type = Microsoft.OpenApi.Models.ReferenceType.SecurityScheme,
Id = "Bearer"
}
},
Array.Empty<string>()
}
});
});
// CORS - Configure for both development and production
builder.Services.AddCors(options =>
{
// Development CORS policy - configured from appsettings
options.AddPolicy("DevelopmentCors",
corsBuilder =>
{
var allowedOrigins = builder.Configuration.GetSection("CORS:AllowedOrigins").Get<string[]>()
?? new[] { "http://localhost:3000", "http://localhost:5173", "http://localhost:5000" };
corsBuilder.WithOrigins(allowedOrigins)
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials(); // Important for cookie authentication
});
// Production CORS policy - strict security
options.AddPolicy("ProductionCors",
corsBuilder =>
{
var allowedOrigins = builder.Configuration.GetSection("CORS:AllowedOrigins").Get<string[]>()
?? new[] { "https://littleshop.silverlabs.uk" };
corsBuilder.WithOrigins(allowedOrigins)
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
// API-specific CORS policy (no credentials for public API)
options.AddPolicy("ApiCors",
corsBuilder =>
{
// Public API should have more restricted CORS
corsBuilder.WithOrigins("https://littleshop.silverlabs.uk", "https://pay.silverlabs.uk")
.AllowAnyMethod()
.AllowAnyHeader()
.AllowCredentials();
});
});
var app = builder.Build();
// Validate configuration on startup - fail fast if misconfigured
try
{
var configValidator = app.Services.GetRequiredService<ConfigurationValidationService>();
configValidator.ValidateConfiguration();
}
catch (Exception ex)
{
Log.Fatal(ex, "🚨 STARTUP FAILED: Configuration validation error");
throw;
}
// Configure the HTTP request pipeline.
// Configure forwarded headers for proxy scenarios (nginx, etc)
var forwardedHeadersOptions = new Microsoft.AspNetCore.HttpOverrides.ForwardedHeadersOptions
{
ForwardedHeaders = Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedFor |
Microsoft.AspNetCore.HttpOverrides.ForwardedHeaders.XForwardedProto
};
// Clear the default known networks/proxies to allow any proxy
forwardedHeadersOptions.KnownNetworks.Clear();
forwardedHeadersOptions.KnownProxies.Clear();
app.UseForwardedHeaders(forwardedHeadersOptions);
// Add CORS early in the pipeline - before authentication
if (app.Environment.IsDevelopment())
{
app.UseCors("DevelopmentCors");
app.UseSwagger();
app.UseSwaggerUI();
}
else
{
// Use production CORS policy in production environment
app.UseCors("ProductionCors");
}
// Add error handling middleware for production
if (!app.Environment.IsDevelopment())
{
app.UseExceptionHandler("/Home/Error");
app.UseHsts(); // Use HSTS for production security
}
app.UseStaticFiles(); // Enable serving static files
app.UseAuthentication();
app.UseAuthorization();
// Configure routing
app.MapControllerRoute(
name: "admin",
pattern: "Admin/{controller=Dashboard}/{action=Index}/{id?}",
defaults: new { area = "Admin" }
);
app.MapControllerRoute(
name: "areas",
pattern: "{area:exists}/{controller=Home}/{action=Index}/{id?}");
app.MapControllerRoute(
name: "default",
pattern: "{controller=Home}/{action=Index}/{id?}");
app.MapControllers(); // API routes
// Map SignalR hub
app.MapHub<LittleShop.Hubs.ActivityHub>("/activityHub");
// Health check endpoint
app.MapHealthChecks("/health");
// Apply database migrations and seed data
using (var scope = app.Services.CreateScope())
{
var context = scope.ServiceProvider.GetRequiredService<LittleShopContext>();
// Ensure database is created (temporary while fixing migrations)
context.Database.EnsureCreated();
// Seed default admin user
var authService = scope.ServiceProvider.GetRequiredService<IAuthService>();
await authService.SeedDefaultUserAsync();
// Seed sample data
var dataSeeder = scope.ServiceProvider.GetRequiredService<IDataSeederService>();
await dataSeeder.SeedSampleDataAsync();
// Seed system settings - enable test currencies for development
var systemSettings = scope.ServiceProvider.GetRequiredService<ISystemSettingsService>();
await systemSettings.SetTestCurrencyEnabledAsync("TBTC", true);
await systemSettings.SetTestCurrencyEnabledAsync("TLTC", true);
}
Log.Information("LittleShop API starting up...");
app.Run();
// Make Program accessible to test project
public partial class Program { }
Reference in New Issue View Git Blame Copy Permalink