diff --git a/src/NexusReader.Data/Persistence/DbInitializer.cs b/src/NexusReader.Data/Persistence/DbInitializer.cs index 047b2f5..fc84c56 100644 --- a/src/NexusReader.Data/Persistence/DbInitializer.cs +++ b/src/NexusReader.Data/Persistence/DbInitializer.cs @@ -72,8 +72,28 @@ public static class DbInitializer var adminPassword = configuration?["Nexus:AdminPassword"] ?? configuration?["NEXUS_ADMIN_PASSWORD"] - ?? Environment.GetEnvironmentVariable("NEXUS_ADMIN_PASSWORD") - ?? "Admin123!"; + ?? Environment.GetEnvironmentVariable("NEXUS_ADMIN_PASSWORD"); + + var env = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") + ?? Environment.GetEnvironmentVariable("DOTNET_ENVIRONMENT") + ?? "Development"; + var isDevelopment = string.Equals(env, "Development", StringComparison.OrdinalIgnoreCase); + + if (string.IsNullOrEmpty(adminPassword)) + { + if (!isDevelopment) + { + throw new InvalidOperationException( + "CRITICAL SECURITY ERROR: Admin password is NOT configured! " + + "In non-Development environments (e.g. Test/Production), the admin password must be explicitly set " + + "via configuration ('Nexus:AdminPassword' or 'NEXUS_ADMIN_PASSWORD') or environment variables. " + + "Seeding aborted to prevent insecure credentials fallback."); + } + + Console.WriteLine("[Seeder] WARNING: Admin password is not set. Falling back to default weak password 'Admin123!' in Development environment."); + adminPassword = "Admin123!"; + } + adminUser.PasswordHash = passwordHasher.HashPassword(adminUser, adminPassword); dbContext.Users.Add(adminUser);