feat(infra): Docker-compose configuration and environment-specific security guards for Beta deployment to Test environment (#56)
This pull request introduces the dedicated containerized infrastructure and configuration for deploying NexusReader's beta version in the Test environment. ### Summary of Changes 1. **Docker Infrastructure & Secrets**: - **`docker-compose.test.yml`**: Configured dedicated database and auxiliary services (PostgreSQL 17, Qdrant, Neo4j) on isolated, non-standard ports to ensure zero conflict with the existing server configurations. - **`.env.test.template`**: Provided an environment variable template showing required setups, including mandatory database passwords, API keys, and admin custom passwords. - **`.gitignore`**: Excluded local `.env` files to prevent accidental commits of production or staging secrets. 2. **Database Hardening**: - Configured Neo4j with basic authentication (`IDriver` instantiation uses basic auth when credentials are provided in configuration). - Configured PostgreSQL to use mandatory authentication. - Configured the admin seeder (`DbInitializer.cs`) to dynamically use `NEXUS_ADMIN_PASSWORD` from environment variables, falling back to a default password in local Development only. 3. **Feature-Flagged Restrictions**: - **`appsettings.Test.json`**: Implemented `Features:AllowRegistration` and `Features:AllowPasswordReset` flags set to `false`. - **Middleware Enforcement (`Program.cs`)**: Intercepts requests to `/identity/register` and `/identity/forgotPassword` (and their MVC/form variations) and rejects them with a `403 Forbidden` response in restricted environments. - **OAuth Provisioning Guard (`Program.cs`)**: Blocks new account provisioning via Google OAuth callback by checking the `Features:AllowRegistration` configuration, redirecting users to the login page with a descriptive error. - **UI Protection (`Login.razor`, `Register.razor`)**: Conditionally hides registration/password reset links and intercepts manual navigation attempts to `/account/register` by redirecting to login with a warning. --------- Co-authored-by: Marek Jasiński <jasins.marek@gmail.com> Reviewed-on: #56 Co-authored-by: Antigravity <antigravity@google.com> Co-committed-by: Antigravity <antigravity@google.com>
This commit was merged in pull request #56.
This commit is contained in:
@@ -0,0 +1,41 @@
|
||||
# ===================================================================
|
||||
# NexusReader — Test Environment Variables
|
||||
# ===================================================================
|
||||
# Copy this file to `.env` and fill in the values before deployment:
|
||||
# cp .env.test.template .env
|
||||
#
|
||||
# Then deploy with:
|
||||
# docker compose -f docker-compose.test.yml up -d --build
|
||||
# ===================================================================
|
||||
|
||||
# === PostgreSQL ===
|
||||
POSTGRES_USER=nexus_user
|
||||
POSTGRES_PASSWORD=CHANGE_ME_TO_STRONG_PASSWORD
|
||||
POSTGRES_DB=nexus_test_db
|
||||
POSTGRES_PORT=5433
|
||||
|
||||
# === Neo4j ===
|
||||
NEO4J_USERNAME=neo4j
|
||||
NEO4J_PASSWORD=CHANGE_ME_TO_STRONG_PASSWORD
|
||||
|
||||
# === Qdrant (leave empty to disable API key auth) ===
|
||||
QDRANT_API_KEY=
|
||||
|
||||
# === Web App ===
|
||||
WEB_PORT=5050
|
||||
|
||||
# === Google OAuth (placeholder for test) ===
|
||||
GOOGLE_CLIENT_ID=placeholder
|
||||
GOOGLE_CLIENT_SECRET=placeholder
|
||||
|
||||
# === Gemini AI (placeholder for test) ===
|
||||
GOOGLE_AI_API_KEY=placeholder
|
||||
|
||||
# === Admin Seed Password ===
|
||||
NEXUS_ADMIN_PASSWORD=CHANGE_ME
|
||||
|
||||
# === Non-standard ports for auxiliary services ===
|
||||
QDRANT_HTTP_PORT=6343
|
||||
QDRANT_GRPC_PORT=6344
|
||||
NEO4J_HTTP_PORT=7484
|
||||
NEO4J_BOLT_PORT=7697
|
||||
Reference in New Issue
Block a user