feat(infra): Docker-compose configuration and environment-specific security guards for Beta deployment to Test environment (#56)

This pull request introduces the dedicated containerized infrastructure and configuration for deploying NexusReader's beta version in the Test environment.

### Summary of Changes

1. **Docker Infrastructure & Secrets**:
   - **`docker-compose.test.yml`**: Configured dedicated database and auxiliary services (PostgreSQL 17, Qdrant, Neo4j) on isolated, non-standard ports to ensure zero conflict with the existing server configurations.
   - **`.env.test.template`**: Provided an environment variable template showing required setups, including mandatory database passwords, API keys, and admin custom passwords.
   - **`.gitignore`**: Excluded local `.env` files to prevent accidental commits of production or staging secrets.

2. **Database Hardening**:
   - Configured Neo4j with basic authentication (`IDriver` instantiation uses basic auth when credentials are provided in configuration).
   - Configured PostgreSQL to use mandatory authentication.
   - Configured the admin seeder (`DbInitializer.cs`) to dynamically use `NEXUS_ADMIN_PASSWORD` from environment variables, falling back to a default password in local Development only.

3. **Feature-Flagged Restrictions**:
   - **`appsettings.Test.json`**: Implemented `Features:AllowRegistration` and `Features:AllowPasswordReset` flags set to `false`.
   - **Middleware Enforcement (`Program.cs`)**: Intercepts requests to `/identity/register` and `/identity/forgotPassword` (and their MVC/form variations) and rejects them with a `403 Forbidden` response in restricted environments.
   - **OAuth Provisioning Guard (`Program.cs`)**: Blocks new account provisioning via Google OAuth callback by checking the `Features:AllowRegistration` configuration, redirecting users to the login page with a descriptive error.
   - **UI Protection (`Login.razor`, `Register.razor`)**: Conditionally hides registration/password reset links and intercepts manual navigation attempts to `/account/register` by redirecting to login with a warning.

---------

Co-authored-by: Marek Jasiński <jasins.marek@gmail.com>
Reviewed-on: #56
Co-authored-by: Antigravity <antigravity@google.com>
Co-committed-by: Antigravity <antigravity@google.com>
This commit was merged in pull request #56.
This commit is contained in:
2026-06-01 17:17:45 +00:00
committed by Marek Jaisński
parent 72905aa119
commit 711480f8f6
54 changed files with 4181 additions and 282 deletions
@@ -56,9 +56,14 @@ public static class DependencyInjection
var qdrantUrl = configuration.GetConnectionString("QdrantConnection") ?? "http://localhost:6334";
services.AddSingleton<QdrantClient>(sp => new QdrantClient(new Uri(qdrantUrl)));
// Neo4j Driver registration
// Neo4j Driver registration (supports optional authentication)
var neo4jUrl = configuration.GetConnectionString("Neo4jConnection") ?? "bolt://localhost:7687";
services.AddSingleton<IDriver>(sp => GraphDatabase.Driver(neo4jUrl, AuthTokens.None));
var neo4jUser = configuration["Neo4j:Username"];
var neo4jPass = configuration["Neo4j:Password"];
var neo4jAuth = !string.IsNullOrEmpty(neo4jUser)
? AuthTokens.Basic(neo4jUser, neo4jPass ?? string.Empty)
: AuthTokens.None;
services.AddSingleton<IDriver>(sp => GraphDatabase.Driver(neo4jUrl, neo4jAuth));
// Hangfire registration
if (!string.IsNullOrEmpty(pgConnectionString))
@@ -18,6 +18,16 @@ public class EpubReaderService : IEpubReader
private readonly ILogger<EpubReaderService> _logger;
private const int WordThreshold = 1000;
private static readonly Regex ImageTagRegex = new(@"<img\b(?<before>[^>]*?\bsrc=[""'])(?<src>[^""']*?)(?<after>[""'][^>]*?>)", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private static readonly Regex BodyMatchRegex = new(@"<body\b[^>]*>(.*?)</body>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled);
private static readonly Regex ParagraphMatchRegex = new(@"<(p|h[1-6]|ul|ol|blockquote|pre)\b[^>]*>.*?</\1>|<hr\b[^>]*>|<img\b[^>]*>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled);
private static readonly Regex StyleScriptRegex = new(@"<(style|script)\b[^>]*>.*?</\1>", RegexOptions.IgnoreCase | RegexOptions.Singleline | RegexOptions.Compiled);
private static readonly Regex WhitelistTagsRegex = new(@"<(?!/?(b|i|strong|em|h[1-6]|p|ul|ol|li|blockquote|pre|code|br|hr|img)\b)[^>]+>", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private static readonly Regex StripAttributesRegex = new(@"<(b|i|strong|em|h[1-6]|p|ul|ol|li|blockquote|pre|code|br|hr)\b[^>]*>", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private static readonly Regex ImgTagSanitizerRegex = new(@"<img\b[^>]*>", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private static readonly Regex SrcAttributeRegex = new(@"\bsrc=[""'](?<src>[^""']*)[""']", RegexOptions.IgnoreCase | RegexOptions.Compiled);
private static readonly Regex AltAttributeRegex = new(@"\balt=[""'](?<alt>[^""']*)[""']", RegexOptions.IgnoreCase | RegexOptions.Compiled);
public EpubReaderService(
IDbContextFactory<AppDbContext> dbContextFactory,
ILogger<EpubReaderService> logger)
@@ -80,6 +90,9 @@ public class EpubReaderService : IEpubReader
var chapterContent = await chapterRef.ReadContentAsTextAsync();
// Rewrite relative image src URLs to use the server-side API endpoint
chapterContent = RewriteImageUrls(chapterContent, ebookId, chapterRef.FilePath);
// 3. Build content blocks
var blocks = new List<ContentBlock>();
int totalWordCount = 0;
@@ -142,13 +155,150 @@ public class EpubReaderService : IEpubReader
return null;
}
/// <inheritdoc />
public async Task<Result<byte[]>> GetEpubResourceAsync(
Guid ebookId,
string resourcePath,
string? userId = null,
CancellationToken cancellationToken = default)
{
try
{
using var context = await _dbContextFactory.CreateDbContextAsync(cancellationToken);
var ebook = await context.Ebooks
.AsNoTracking()
.FirstOrDefaultAsync(
e => e.Id == ebookId && (userId == null || e.UserId == userId),
cancellationToken);
if (ebook == null)
{
return Result.Fail($"Ebook '{ebookId}' not found.");
}
var fullPath = ResolvePath(ebook.FilePath);
if (fullPath == null || !File.Exists(fullPath))
{
return Result.Fail("EPUB file not found.");
}
using var bookRef = await EpubReader.OpenBookAsync(fullPath);
var decodedPath = System.Net.WebUtility.UrlDecode(resourcePath);
if (decodedPath.Contains("..") || decodedPath.Contains(":") || decodedPath.StartsWith("/") || decodedPath.StartsWith("\\"))
{
return Result.Fail("Invalid resource path.");
}
decodedPath = decodedPath.Replace('\\', '/').TrimStart('/');
EpubLocalContentFileRef? targetFile = null;
if (bookRef.Content?.AllFiles?.Local != null)
{
foreach (var file in bookRef.Content.AllFiles.Local)
{
var filePath = file.FilePath?.Replace('\\', '/').TrimStart('/') ?? "";
var fileKey = file.Key?.Replace('\\', '/').TrimStart('/') ?? "";
if (filePath.Equals(decodedPath, StringComparison.OrdinalIgnoreCase) ||
fileKey.Equals(decodedPath, StringComparison.OrdinalIgnoreCase))
{
targetFile = file;
break;
}
}
}
if (targetFile != null)
{
if (targetFile is EpubLocalByteContentFileRef byteFile)
{
byte[] bytes = await byteFile.ReadContentAsync();
return Result.Ok(bytes);
}
else if (targetFile is EpubLocalTextContentFileRef textFile)
{
string text = await textFile.ReadContentAsync();
byte[] bytes = System.Text.Encoding.UTF8.GetBytes(text);
return Result.Ok(bytes);
}
}
return Result.Fail($"Resource '{resourcePath}' not found in EPUB.");
}
catch (Exception ex)
{
_logger.LogError(ex, "Failed to retrieve EPUB resource '{ResourcePath}' for ebook {EbookId}.", resourcePath, ebookId);
return Result.Fail(new Error($"Failed to retrieve EPUB resource: {ex.Message}").CausedBy(ex));
}
}
private static string RewriteImageUrls(string html, Guid ebookId, string chapterPath)
{
if (string.IsNullOrEmpty(html)) return html;
return ImageTagRegex.Replace(html, match =>
{
var rawSrc = match.Groups["src"].Value;
if (rawSrc.StartsWith("javascript:", StringComparison.OrdinalIgnoreCase))
{
return ""; // Completely block script execution in image src
}
if (rawSrc.StartsWith("http://", StringComparison.OrdinalIgnoreCase) ||
rawSrc.StartsWith("https://", StringComparison.OrdinalIgnoreCase) ||
rawSrc.StartsWith("data:", StringComparison.OrdinalIgnoreCase))
{
return match.Value;
}
var resolvedPath = ResolveRelativePath(chapterPath, rawSrc);
var rewrittenSrc = $"/api/epub/{ebookId}/resource?path={System.Net.WebUtility.UrlEncode(resolvedPath)}";
return $"{match.Groups["before"].Value}{rewrittenSrc}{match.Groups["after"].Value}";
});
}
private static string ResolveRelativePath(string basePath, string relativePath)
{
if (string.IsNullOrEmpty(relativePath)) return string.Empty;
var decodedRelative = System.Net.WebUtility.UrlDecode(relativePath);
var baseDir = Path.GetDirectoryName(basePath) ?? "";
baseDir = baseDir.Replace('\\', '/');
var combined = Path.Combine(baseDir, decodedRelative).Replace('\\', '/');
var segments = combined.Split('/');
var stack = new Stack<string>();
foreach (var segment in segments)
{
if (segment == "." || string.IsNullOrEmpty(segment))
{
continue;
}
if (segment == "..")
{
if (stack.Count > 0)
{
stack.Pop();
}
}
else
{
stack.Push(segment);
}
}
return string.Join("/", stack.Reverse());
}
private static List<string> ExtractParagraphs(string html)
{
var bodyMatch = Regex.Match(html, @"<body\b[^>]*>(.*?)</body>", RegexOptions.IgnoreCase | RegexOptions.Singleline);
var bodyMatch = BodyMatchRegex.Match(html);
var content = bodyMatch.Success ? bodyMatch.Groups[1].Value : html;
var paragraphs = new List<string>();
var matches = Regex.Matches(content, @"<(p|h[1-6]|ul|ol|blockquote|pre)\b[^>]*>.*?</\1>|<hr\b[^>]*>", RegexOptions.IgnoreCase | RegexOptions.Singleline);
var matches = ParagraphMatchRegex.Matches(content);
foreach (Match match in matches)
{
@@ -165,9 +315,20 @@ public class EpubReaderService : IEpubReader
private static string SanitizeParagraph(string html)
{
var clean = Regex.Replace(html, @"<(style|script)\b[^>]*>.*?</\1>", "", RegexOptions.IgnoreCase | RegexOptions.Singleline);
clean = Regex.Replace(clean, @"<(?!/?(b|i|strong|em|h[1-6]|p|ul|ol|li|blockquote|pre|code|br|hr)\b)[^>]+>", "", RegexOptions.IgnoreCase);
clean = Regex.Replace(clean, @"<(b|i|strong|em|h[1-6]|p|ul|ol|li|blockquote|pre|code|br|hr)\b[^>]*>", "<$1>", RegexOptions.IgnoreCase);
var clean = StyleScriptRegex.Replace(html, "");
clean = WhitelistTagsRegex.Replace(clean, "");
clean = StripAttributesRegex.Replace(clean, "<$1>");
// Securely sanitize img tags by keeping ONLY src and alt attributes to prevent XSS (onerror, onload, style, etc.)
clean = ImgTagSanitizerRegex.Replace(clean, m =>
{
var srcMatch = SrcAttributeRegex.Match(m.Value);
var altMatch = AltAttributeRegex.Match(m.Value);
var srcAttr = srcMatch.Success ? $" src=\"{srcMatch.Groups["src"].Value}\"" : "";
var altAttr = altMatch.Success ? $" alt=\"{altMatch.Groups["alt"].Value}\"" : "";
return $"<img{srcAttr}{altAttr} />";
});
clean = System.Net.WebUtility.HtmlDecode(clean);
return clean.Trim();
}