feat(infra): Docker-compose configuration and environment-specific security guards for Beta deployment to Test environment (#56)
This pull request introduces the dedicated containerized infrastructure and configuration for deploying NexusReader's beta version in the Test environment. ### Summary of Changes 1. **Docker Infrastructure & Secrets**: - **`docker-compose.test.yml`**: Configured dedicated database and auxiliary services (PostgreSQL 17, Qdrant, Neo4j) on isolated, non-standard ports to ensure zero conflict with the existing server configurations. - **`.env.test.template`**: Provided an environment variable template showing required setups, including mandatory database passwords, API keys, and admin custom passwords. - **`.gitignore`**: Excluded local `.env` files to prevent accidental commits of production or staging secrets. 2. **Database Hardening**: - Configured Neo4j with basic authentication (`IDriver` instantiation uses basic auth when credentials are provided in configuration). - Configured PostgreSQL to use mandatory authentication. - Configured the admin seeder (`DbInitializer.cs`) to dynamically use `NEXUS_ADMIN_PASSWORD` from environment variables, falling back to a default password in local Development only. 3. **Feature-Flagged Restrictions**: - **`appsettings.Test.json`**: Implemented `Features:AllowRegistration` and `Features:AllowPasswordReset` flags set to `false`. - **Middleware Enforcement (`Program.cs`)**: Intercepts requests to `/identity/register` and `/identity/forgotPassword` (and their MVC/form variations) and rejects them with a `403 Forbidden` response in restricted environments. - **OAuth Provisioning Guard (`Program.cs`)**: Blocks new account provisioning via Google OAuth callback by checking the `Features:AllowRegistration` configuration, redirecting users to the login page with a descriptive error. - **UI Protection (`Login.razor`, `Register.razor`)**: Conditionally hides registration/password reset links and intercepts manual navigation attempts to `/account/register` by redirecting to login with a warning. --------- Co-authored-by: Marek Jasiński <jasins.marek@gmail.com> Reviewed-on: #56 Co-authored-by: Antigravity <antigravity@google.com> Co-committed-by: Antigravity <antigravity@google.com>
This commit was merged in pull request #56.
This commit is contained in:
@@ -0,0 +1,71 @@
|
||||
using System;
|
||||
using System.Text;
|
||||
using FluentAssertions;
|
||||
using NexusReader.UI.Shared.Services;
|
||||
using Xunit;
|
||||
|
||||
namespace NexusReader.Application.Tests.Services;
|
||||
|
||||
public class JwtTokenValidatorTests
|
||||
{
|
||||
private string CreateMockToken(long exp)
|
||||
{
|
||||
// {"alg":"HS256","typ":"JWT"}
|
||||
var header = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";
|
||||
|
||||
var payloadJson = $"{{\"exp\":{exp}}}";
|
||||
var payloadBytes = Encoding.UTF8.GetBytes(payloadJson);
|
||||
var payload = Convert.ToBase64String(payloadBytes)
|
||||
.Replace('+', '-')
|
||||
.Replace('/', '_')
|
||||
.TrimEnd('=');
|
||||
|
||||
return $"{header}.{payload}.signature";
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void IsExpired_WithNullOrEmptyToken_ShouldReturnTrue()
|
||||
{
|
||||
JwtTokenValidator.IsExpired(null).Should().BeTrue();
|
||||
JwtTokenValidator.IsExpired("").Should().BeTrue();
|
||||
JwtTokenValidator.IsExpired(" ").Should().BeTrue();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void IsExpired_WithMalformedToken_ShouldReturnTrue()
|
||||
{
|
||||
JwtTokenValidator.IsExpired("not.a.valid.token.format.here").Should().BeTrue();
|
||||
JwtTokenValidator.IsExpired("part1.part2").Should().BeTrue();
|
||||
JwtTokenValidator.IsExpired("justonestring").Should().BeTrue();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void IsExpired_WithExpiredToken_ShouldReturnTrue()
|
||||
{
|
||||
// Expired 1 hour ago
|
||||
var expiredTime = DateTimeOffset.UtcNow.AddHours(-1).ToUnixTimeSeconds();
|
||||
var token = CreateMockToken(expiredTime);
|
||||
|
||||
JwtTokenValidator.IsExpired(token).Should().BeTrue();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void IsExpired_WithValidToken_ShouldReturnFalse()
|
||||
{
|
||||
// Valid for 1 hour in the future
|
||||
var futureTime = DateTimeOffset.UtcNow.AddHours(1).ToUnixTimeSeconds();
|
||||
var token = CreateMockToken(futureTime);
|
||||
|
||||
JwtTokenValidator.IsExpired(token).Should().BeFalse();
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void IsExpired_WithTokenInsideSkewBuffer_ShouldReturnTrue()
|
||||
{
|
||||
// Expiring in 5 seconds (within the 10-second skew buffer)
|
||||
var skewTime = DateTimeOffset.UtcNow.AddSeconds(5).ToUnixTimeSeconds();
|
||||
var token = CreateMockToken(skewTime);
|
||||
|
||||
JwtTokenValidator.IsExpired(token).Should().BeTrue();
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user