feat(infra): Docker-compose configuration and environment-specific security guards for Beta deployment to Test environment (#56)
This pull request introduces the dedicated containerized infrastructure and configuration for deploying NexusReader's beta version in the Test environment. ### Summary of Changes 1. **Docker Infrastructure & Secrets**: - **`docker-compose.test.yml`**: Configured dedicated database and auxiliary services (PostgreSQL 17, Qdrant, Neo4j) on isolated, non-standard ports to ensure zero conflict with the existing server configurations. - **`.env.test.template`**: Provided an environment variable template showing required setups, including mandatory database passwords, API keys, and admin custom passwords. - **`.gitignore`**: Excluded local `.env` files to prevent accidental commits of production or staging secrets. 2. **Database Hardening**: - Configured Neo4j with basic authentication (`IDriver` instantiation uses basic auth when credentials are provided in configuration). - Configured PostgreSQL to use mandatory authentication. - Configured the admin seeder (`DbInitializer.cs`) to dynamically use `NEXUS_ADMIN_PASSWORD` from environment variables, falling back to a default password in local Development only. 3. **Feature-Flagged Restrictions**: - **`appsettings.Test.json`**: Implemented `Features:AllowRegistration` and `Features:AllowPasswordReset` flags set to `false`. - **Middleware Enforcement (`Program.cs`)**: Intercepts requests to `/identity/register` and `/identity/forgotPassword` (and their MVC/form variations) and rejects them with a `403 Forbidden` response in restricted environments. - **OAuth Provisioning Guard (`Program.cs`)**: Blocks new account provisioning via Google OAuth callback by checking the `Features:AllowRegistration` configuration, redirecting users to the login page with a descriptive error. - **UI Protection (`Login.razor`, `Register.razor`)**: Conditionally hides registration/password reset links and intercepts manual navigation attempts to `/account/register` by redirecting to login with a warning. --------- Co-authored-by: Marek Jasiński <jasins.marek@gmail.com> Reviewed-on: #56 Co-authored-by: Antigravity <antigravity@google.com> Co-committed-by: Antigravity <antigravity@google.com>
This commit was merged in pull request #56.
This commit is contained in:
@@ -56,9 +56,14 @@ public static class DependencyInjection
|
||||
var qdrantUrl = configuration.GetConnectionString("QdrantConnection") ?? "http://localhost:6334";
|
||||
services.AddSingleton<QdrantClient>(sp => new QdrantClient(new Uri(qdrantUrl)));
|
||||
|
||||
// Neo4j Driver registration
|
||||
// Neo4j Driver registration (supports optional authentication)
|
||||
var neo4jUrl = configuration.GetConnectionString("Neo4jConnection") ?? "bolt://localhost:7687";
|
||||
services.AddSingleton<IDriver>(sp => GraphDatabase.Driver(neo4jUrl, AuthTokens.None));
|
||||
var neo4jUser = configuration["Neo4j:Username"];
|
||||
var neo4jPass = configuration["Neo4j:Password"];
|
||||
var neo4jAuth = !string.IsNullOrEmpty(neo4jUser)
|
||||
? AuthTokens.Basic(neo4jUser, neo4jPass ?? string.Empty)
|
||||
: AuthTokens.None;
|
||||
services.AddSingleton<IDriver>(sp => GraphDatabase.Driver(neo4jUrl, neo4jAuth));
|
||||
|
||||
// Hangfire registration
|
||||
if (!string.IsNullOrEmpty(pgConnectionString))
|
||||
|
||||
@@ -18,6 +18,16 @@ public class EpubReaderService : IEpubReader
|
||||
private readonly ILogger<EpubReaderService> _logger;
|
||||
private const int WordThreshold = 1000;
|
||||
|
||||
private static readonly Regex ImageTagRegex = new(@"<img\b(?<before>[^>]*?\bsrc=[""'])(?<src>[^""']*?)(?<after>[""'][^>]*?>)", RegexOptions.IgnoreCase | RegexOptions.Compiled);
|
||||
private static readonly Regex BodyMatchRegex = new(@"<body\b[^>]*>(.*?)</body>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled);
|
||||
private static readonly Regex ParagraphMatchRegex = new(@"<(p|h[1-6]|ul|ol|blockquote|pre)\b[^>]*>.*?</\1>|<hr\b[^>]*>|<img\b[^>]*>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled);
|
||||
private static readonly Regex StyleScriptRegex = new(@"<(style|script)\b[^>]*>.*?</\1>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled);
|
||||
private static readonly Regex WhitelistTagsRegex = new(@"<(?!/?(b|i|strong|em|h[1-6]|p|ul|ol|li|blockquote|pre|code|br|hr|img)\b)[^>]+>", RegexOptions.IgnoreCase | RegexOptions.Compiled);
|
||||
private static readonly Regex StripAttributesRegex = new(@"<(b|i|strong|em|h[1-6]|p|ul|ol|li|blockquote|pre|code|br|hr)\b[^>]*>", RegexOptions.IgnoreCase | RegexOptions.Compiled);
|
||||
private static readonly Regex ImgTagSanitizerRegex = new(@"<img\b[^>]*>", RegexOptions.IgnoreCase | RegexOptions.Compiled);
|
||||
private static readonly Regex SrcAttributeRegex = new(@"\bsrc=[""'](?<src>[^""']*)[""']", RegexOptions.IgnoreCase | RegexOptions.Compiled);
|
||||
private static readonly Regex AltAttributeRegex = new(@"\balt=[""'](?<alt>[^""']*)[""']", RegexOptions.IgnoreCase | RegexOptions.Compiled);
|
||||
|
||||
public EpubReaderService(
|
||||
IDbContextFactory<AppDbContext> dbContextFactory,
|
||||
ILogger<EpubReaderService> logger)
|
||||
@@ -80,6 +90,9 @@ public class EpubReaderService : IEpubReader
|
||||
|
||||
var chapterContent = await chapterRef.ReadContentAsTextAsync();
|
||||
|
||||
// Rewrite relative image src URLs to use the server-side API endpoint
|
||||
chapterContent = RewriteImageUrls(chapterContent, ebookId, chapterRef.FilePath);
|
||||
|
||||
// 3. Build content blocks
|
||||
var blocks = new List<ContentBlock>();
|
||||
int totalWordCount = 0;
|
||||
@@ -142,13 +155,150 @@ public class EpubReaderService : IEpubReader
|
||||
return null;
|
||||
}
|
||||
|
||||
/// <inheritdoc />
|
||||
public async Task<Result<byte[]>> GetEpubResourceAsync(
|
||||
Guid ebookId,
|
||||
string resourcePath,
|
||||
string? userId = null,
|
||||
CancellationToken cancellationToken = default)
|
||||
{
|
||||
try
|
||||
{
|
||||
using var context = await _dbContextFactory.CreateDbContextAsync(cancellationToken);
|
||||
var ebook = await context.Ebooks
|
||||
.AsNoTracking()
|
||||
.FirstOrDefaultAsync(
|
||||
e => e.Id == ebookId && (userId == null || e.UserId == userId),
|
||||
cancellationToken);
|
||||
|
||||
if (ebook == null)
|
||||
{
|
||||
return Result.Fail($"Ebook '{ebookId}' not found.");
|
||||
}
|
||||
|
||||
var fullPath = ResolvePath(ebook.FilePath);
|
||||
if (fullPath == null || !File.Exists(fullPath))
|
||||
{
|
||||
return Result.Fail("EPUB file not found.");
|
||||
}
|
||||
|
||||
using var bookRef = await EpubReader.OpenBookAsync(fullPath);
|
||||
|
||||
var decodedPath = System.Net.WebUtility.UrlDecode(resourcePath);
|
||||
if (decodedPath.Contains("..") || decodedPath.Contains(":") || decodedPath.StartsWith("/") || decodedPath.StartsWith("\\"))
|
||||
{
|
||||
return Result.Fail("Invalid resource path.");
|
||||
}
|
||||
|
||||
decodedPath = decodedPath.Replace('\\', '/').TrimStart('/');
|
||||
|
||||
EpubLocalContentFileRef? targetFile = null;
|
||||
if (bookRef.Content?.AllFiles?.Local != null)
|
||||
{
|
||||
foreach (var file in bookRef.Content.AllFiles.Local)
|
||||
{
|
||||
var filePath = file.FilePath?.Replace('\\', '/').TrimStart('/') ?? "";
|
||||
var fileKey = file.Key?.Replace('\\', '/').TrimStart('/') ?? "";
|
||||
if (filePath.Equals(decodedPath, StringComparison.OrdinalIgnoreCase) ||
|
||||
fileKey.Equals(decodedPath, StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
targetFile = file;
|
||||
break;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (targetFile != null)
|
||||
{
|
||||
if (targetFile is EpubLocalByteContentFileRef byteFile)
|
||||
{
|
||||
byte[] bytes = await byteFile.ReadContentAsync();
|
||||
return Result.Ok(bytes);
|
||||
}
|
||||
else if (targetFile is EpubLocalTextContentFileRef textFile)
|
||||
{
|
||||
string text = await textFile.ReadContentAsync();
|
||||
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(text);
|
||||
return Result.Ok(bytes);
|
||||
}
|
||||
}
|
||||
|
||||
return Result.Fail($"Resource '{resourcePath}' not found in EPUB.");
|
||||
}
|
||||
catch (Exception ex)
|
||||
{
|
||||
_logger.LogError(ex, "Failed to retrieve EPUB resource '{ResourcePath}' for ebook {EbookId}.", resourcePath, ebookId);
|
||||
return Result.Fail(new Error($"Failed to retrieve EPUB resource: {ex.Message}").CausedBy(ex));
|
||||
}
|
||||
}
|
||||
|
||||
private static string RewriteImageUrls(string html, Guid ebookId, string chapterPath)
|
||||
{
|
||||
if (string.IsNullOrEmpty(html)) return html;
|
||||
|
||||
return ImageTagRegex.Replace(html, match =>
|
||||
{
|
||||
var rawSrc = match.Groups["src"].Value;
|
||||
|
||||
if (rawSrc.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
return ""; // Completely block script execution in image src
|
||||
}
|
||||
|
||||
if (rawSrc.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
|
||||
rawSrc.StartsWith("https://", StringComparison.OrdinalIgnoreCase) ||
|
||||
rawSrc.StartsWith("data:", StringComparison.OrdinalIgnoreCase))
|
||||
{
|
||||
return match.Value;
|
||||
}
|
||||
|
||||
var resolvedPath = ResolveRelativePath(chapterPath, rawSrc);
|
||||
var rewrittenSrc = $"/api/epub/{ebookId}/resource?path={System.Net.WebUtility.UrlEncode(resolvedPath)}";
|
||||
return $"{match.Groups["before"].Value}{rewrittenSrc}{match.Groups["after"].Value}";
|
||||
});
|
||||
}
|
||||
|
||||
private static string ResolveRelativePath(string basePath, string relativePath)
|
||||
{
|
||||
if (string.IsNullOrEmpty(relativePath)) return string.Empty;
|
||||
|
||||
var decodedRelative = System.Net.WebUtility.UrlDecode(relativePath);
|
||||
var baseDir = Path.GetDirectoryName(basePath) ?? "";
|
||||
baseDir = baseDir.Replace('\\', '/');
|
||||
|
||||
var combined = Path.Combine(baseDir, decodedRelative).Replace('\\', '/');
|
||||
var segments = combined.Split('/');
|
||||
var stack = new Stack<string>();
|
||||
|
||||
foreach (var segment in segments)
|
||||
{
|
||||
if (segment == "." || string.IsNullOrEmpty(segment))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
if (segment == "..")
|
||||
{
|
||||
if (stack.Count > 0)
|
||||
{
|
||||
stack.Pop();
|
||||
}
|
||||
}
|
||||
else
|
||||
{
|
||||
stack.Push(segment);
|
||||
}
|
||||
}
|
||||
|
||||
return string.Join("/", stack.Reverse());
|
||||
}
|
||||
|
||||
private static List<string> ExtractParagraphs(string html)
|
||||
{
|
||||
var bodyMatch = Regex.Match(html, @"<body\b[^>]*>(.*?)</body>", RegexOptions.IgnoreCase | RegexOptions.Singleline);
|
||||
var bodyMatch = BodyMatchRegex.Match(html);
|
||||
var content = bodyMatch.Success ? bodyMatch.Groups[1].Value : html;
|
||||
|
||||
var paragraphs = new List<string>();
|
||||
var matches = Regex.Matches(content, @"<(p|h[1-6]|ul|ol|blockquote|pre)\b[^>]*>.*?</\1>|<hr\b[^>]*>", RegexOptions.IgnoreCase | RegexOptions.Singleline);
|
||||
var matches = ParagraphMatchRegex.Matches(content);
|
||||
|
||||
foreach (Match match in matches)
|
||||
{
|
||||
@@ -165,9 +315,20 @@ public class EpubReaderService : IEpubReader
|
||||
|
||||
private static string SanitizeParagraph(string html)
|
||||
{
|
||||
var clean = Regex.Replace(html, @"<(style|script)\b[^>]*>.*?</\1>", "", RegexOptions.IgnoreCase | RegexOptions.Singleline);
|
||||
clean = Regex.Replace(clean, @"<(?!/?(b|i|strong|em|h[1-6]|p|ul|ol|li|blockquote|pre|code|br|hr)\b)[^>]+>", "", RegexOptions.IgnoreCase);
|
||||
clean = Regex.Replace(clean, @"<(b|i|strong|em|h[1-6]|p|ul|ol|li|blockquote|pre|code|br|hr)\b[^>]*>", "<$1>", RegexOptions.IgnoreCase);
|
||||
var clean = StyleScriptRegex.Replace(html, "");
|
||||
clean = WhitelistTagsRegex.Replace(clean, "");
|
||||
clean = StripAttributesRegex.Replace(clean, "<$1>");
|
||||
|
||||
// Securely sanitize img tags by keeping ONLY src and alt attributes to prevent XSS (onerror, onload, style, etc.)
|
||||
clean = ImgTagSanitizerRegex.Replace(clean, m =>
|
||||
{
|
||||
var srcMatch = SrcAttributeRegex.Match(m.Value);
|
||||
var altMatch = AltAttributeRegex.Match(m.Value);
|
||||
var srcAttr = srcMatch.Success ? $" src=\"{srcMatch.Groups["src"].Value}\"" : "";
|
||||
var altAttr = altMatch.Success ? $" alt=\"{altMatch.Groups["alt"].Value}\"" : "";
|
||||
return $"<img{srcAttr}{altAttr} />";
|
||||
});
|
||||
|
||||
clean = System.Net.WebUtility.HtmlDecode(clean);
|
||||
return clean.Trim();
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user