SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d343037bbd
littleshop/LittleShop/Areas/Admin/Controllers/AccountController.cs
SysAdmin d343037bbd Security: Fix critical vulnerabilities and implement security hardening 
CRITICAL SECURITY FIXES:
- Fixed certificate validation bypass vulnerability in BTCPayServerService
  * Removed unsafe ServerCertificateCustomValidationCallback
  * Added environment-specific SSL configuration
  * Production now enforces proper SSL validation

- Fixed overly permissive CORS policy
  * Replaced AllowAnyOrigin() with specific trusted origins
  * Created separate CORS policies for Development/Production/API
  * Configured from appsettings for environment-specific control

- Implemented CSRF protection across admin panel
  * Added [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions
  * Protected 10 admin controllers with anti-forgery tokens
  * Prevents Cross-Site Request Forgery attacks

CONFIGURATION IMPROVEMENTS:
- Created appsettings.Development.json for dev-specific settings
- Added Security:AllowInsecureSSL flag (Development only)
- Added CORS:AllowedOrigins configuration arrays
- Created comprehensive security roadmap (ROADMAP.md)

ALSO FIXED:
- TeleBot syntax errors (Program.cs, MessageFormatter.cs)
- Added enterprise-full-stack-developer output style

Impact: All Phase 1 critical security vulnerabilities resolved
Status: Ready for security review and deployment preparation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-19 11:56:12 +01:00

84 lines
2.5 KiB
C#
Raw Blame History

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;
using System.Security.Claims;
using LittleShop.Services;
using LittleShop.DTOs;
namespace LittleShop.Areas.Admin.Controllers;
[Area("Admin")]
public class AccountController : Controller
{
private readonly IAuthService _authService;
public AccountController(IAuthService authService)
{
_authService = authService;
}
[HttpGet]
public IActionResult Login()
{
if (User.Identity?.IsAuthenticated == true)
{
return RedirectToAction("Index", "Dashboard");
}
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(string username, string password)
{
Console.WriteLine($"Received Username: '{username}', Password: '{password}'");
if (string.IsNullOrEmpty(username) || string.IsNullOrEmpty(password))
{
ModelState.AddModelError("", "Username and password are required");
return View();
}
// Use AuthService to validate against database users
var loginDto = new LoginDto { Username = username, Password = password };
var authResponse = await _authService.LoginAsync(loginDto);
if (authResponse != null)
{
// Get the actual user from database to get correct ID
var user = await _authService.GetUserByUsernameAsync(username);
if (user != null)
{
var claims = new List<Claim>
{
new(ClaimTypes.Name, user.Username),
new(ClaimTypes.NameIdentifier, user.Id.ToString()), // Use real database ID
new(ClaimTypes.Role, "Admin") // All users in admin system are admins
};
var identity = new ClaimsIdentity(claims, "Cookies");
var principal = new ClaimsPrincipal(identity);
await HttpContext.SignInAsync("Cookies", principal);
return RedirectToAction("Index", "Dashboard");
}
}
ModelState.AddModelError("", "Invalid username or password");
return View();
}
[HttpPost]
[ValidateAntiForgeryToken]
[Authorize]
public async Task<IActionResult> Logout()
{
await HttpContext.SignOutAsync("Cookies");
return RedirectToAction("Login");
}
public IActionResult AccessDenied()
{
return View();
}
}
Reference in New Issue View Git Blame Copy Permalink