SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f4346a799e
littleshop/README.md
SysAdmin d343037bbd Security: Fix critical vulnerabilities and implement security hardening 
CRITICAL SECURITY FIXES:
- Fixed certificate validation bypass vulnerability in BTCPayServerService
  * Removed unsafe ServerCertificateCustomValidationCallback
  * Added environment-specific SSL configuration
  * Production now enforces proper SSL validation

- Fixed overly permissive CORS policy
  * Replaced AllowAnyOrigin() with specific trusted origins
  * Created separate CORS policies for Development/Production/API
  * Configured from appsettings for environment-specific control

- Implemented CSRF protection across admin panel
  * Added [ValidateAntiForgeryToken] to all POST/PUT/DELETE actions
  * Protected 10 admin controllers with anti-forgery tokens
  * Prevents Cross-Site Request Forgery attacks

CONFIGURATION IMPROVEMENTS:
- Created appsettings.Development.json for dev-specific settings
- Added Security:AllowInsecureSSL flag (Development only)
- Added CORS:AllowedOrigins configuration arrays
- Created comprehensive security roadmap (ROADMAP.md)

ALSO FIXED:
- TeleBot syntax errors (Program.cs, MessageFormatter.cs)
- Added enterprise-full-stack-developer output style

Impact: All Phase 1 critical security vulnerabilities resolved
Status: Ready for security review and deployment preparation

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-19 11:56:12 +01:00

5.5 KiB
Raw Blame History

LittleShop API

A basic online sales system backend built with ASP.NET Core 9.0, featuring multi-cryptocurrency payment support via BTCPay Server.

Features

Admin Panel

  • Authentication: JWT-based authentication for admin users
  • Categories: Full CRUD operations for product categories
  • Products: Complete product management with image upload support
  • Users: Staff user management (username/password only)
  • Orders: Order management with status tracking
  • Accounting: Dashboard and financial overview

Public API

  • Catalog: Public product and category browsing
  • Orders: Order creation and management by client identity reference
  • Payments: Multi-cryptocurrency payment processing
  • Tracking: Order status and tracking

Cryptocurrency Support

  • BTC (Bitcoin) + Lightning Network
  • XMR (Monero) - Privacy coin
  • USDT (Tether) - Stablecoin
  • LTC (Litecoin)
  • ETH (Ethereum)
  • ZEC (Zcash) - Privacy coin
  • DASH (Dash)
  • DOGE (Dogecoin)

Getting Started

Prerequisites

  • .NET 9.0 SDK
  • SQLite (included)
  • BTCPay Server instance (for production)

Configuration

Update appsettings.json with your settings:

{
  "ConnectionStrings": {
    "DefaultConnection": "Data Source=littleshop.db"
  },
  "Jwt": {
    "Key": "YourSuperSecretKeyThatIsAtLeast32CharactersLong!",
    "Issuer": "LittleShop",
    "Audience": "LittleShop",
    "ExpiryInHours": 24
  },
  "BTCPayServer": {
    "BaseUrl": "https://your-btcpay-server.com",
    "ApiKey": "your-api-key",
    "StoreId": "your-store-id",
    "WebhookSecret": "your-webhook-secret"
  }
}

Running the Application

  1. Clone and build:

    dotnet restore
dotnet build

  2. Run:

    dotnet run

  3. Access:

    • API: https://localhost:5001
    • Swagger UI: https://localhost:5001/swagger

Default Admin User

  • Username: admin
  • Password: admin

API Endpoints

Authentication

  • POST /api/auth/login - Login (get JWT token)
  • GET /api/auth/users - List users (admin)
  • POST /api/auth/users - Create user (admin)

Categories

  • GET /api/categories - List categories
  • POST /api/categories - Create category (admin)
  • PUT /api/categories/{id} - Update category (admin)
  • DELETE /api/categories/{id} - Delete category (admin)

Products

  • GET /api/products - List products
  • GET /api/products?categoryId={id} - Products by category
  • POST /api/products - Create product (admin)
  • POST /api/products/{id}/photos - Upload product photo (admin)

Public Catalog

  • GET /api/catalog/categories - Public category list
  • GET /api/catalog/products - Public product list

Orders

  • POST /api/orders - Create order
  • GET /api/orders/by-identity/{identity} - Get orders by identity
  • POST /api/orders/{id}/payments - Create crypto payment
  • GET /api/orders/{id}/payments - Get order payments
  • POST /api/orders/{id}/cancel - Cancel order

Admin Order Management

  • GET /api/orders - List all orders (admin)
  • PUT /api/orders/{id}/status - Update order status (admin)

Product Weight Units

  • Unit (0) - Generic unit
  • Micrograms (1)
  • Grams (2)
  • Ounces (3)
  • Pounds (4)
  • Millilitres (5)
  • Litres (6)

Order Statuses

  • PendingPayment (0) - Awaiting payment
  • PaymentReceived (1) - Payment confirmed
  • Processing (2) - Being processed
  • PickingAndPacking (3) - Preparing for shipment
  • Shipped (4) - Shipped with tracking
  • Delivered (5) - Delivered
  • Cancelled (6) - Cancelled
  • Refunded (7) - Refunded

Payment Workflow

  1. Customer creates order via API
  2. Order receives unique ID and pending status
  3. Customer requests payment in preferred cryptocurrency
  4. System generates unique wallet address and amount
  5. Customer sends payment to provided address
  6. BTCPay Server detects payment and triggers webhook
  7. Order status updates to PaymentReceived
  8. Admin processes order through picking & packing
  9. Shipping label generated via Royal Mail API
  10. Customer receives tracking information

Security Features

  • JWT authentication for admin endpoints
  • Password hashing with PBKDF2
  • No customer personal data stored (identity reference only)
  • Self-hosted payment processing (no third-party data sharing)
  • CORS configuration for web clients

Logging

  • Structured logging with Serilog
  • Console and file output
  • Request/response logging
  • Payment processing audit trail

Development

The API is built with:

  • ASP.NET Core 9.0 - Web framework
  • Entity Framework Core - Database ORM
  • SQLite - Database
  • JWT - Authentication
  • AutoMapper - Object mapping
  • FluentValidation - Input validation
  • Serilog - Logging
  • Swagger - API documentation
  • BTCPay Server Client - Crypto payments

Privacy & Compliance

  • No KYC requirements
  • No customer personal data retention
  • Privacy-focused cryptocurrencies supported (XMR, ZEC)
  • Self-hosted payment processing
  • GDPR-friendly design (minimal data collection)

Development Roadmap

See ROADMAP.md for detailed development plans, including:

  • 🚨 Critical security fixes (immediate priority)
  • 📋 Production readiness improvements
  • 🚀 Feature enhancements (shipping, notifications, analytics)
  • 🏗️ Long-term scalability and optimization plans

Recent Updates

  • Security vulnerabilities identified and documented (Sep 19, 2025)
  • BTCPay Server integration fixed with production credentials (Sep 19, 2025)
  • Product variations and mobile workflow implemented (Sep 18, 2025)