From a672a868b41124eda45dbe193a82886686eac801 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Marek=20Jasi=C5=84ski?= Date: Mon, 1 Jun 2026 19:08:50 +0200 Subject: [PATCH] chore(infra): enforce admin password check in non-Development environments in DbInitializer --- .../Persistence/DbInitializer.cs | 24 +++++++++++++++++-- 1 file changed, 22 insertions(+), 2 deletions(-) diff --git a/src/NexusReader.Data/Persistence/DbInitializer.cs b/src/NexusReader.Data/Persistence/DbInitializer.cs index 047b2f5..fc84c56 100644 --- a/src/NexusReader.Data/Persistence/DbInitializer.cs +++ b/src/NexusReader.Data/Persistence/DbInitializer.cs @@ -72,8 +72,28 @@ public static class DbInitializer var adminPassword = configuration?["Nexus:AdminPassword"] ?? configuration?["NEXUS_ADMIN_PASSWORD"] - ?? Environment.GetEnvironmentVariable("NEXUS_ADMIN_PASSWORD") - ?? "Admin123!"; + ?? Environment.GetEnvironmentVariable("NEXUS_ADMIN_PASSWORD"); + + var env = Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") + ?? Environment.GetEnvironmentVariable("DOTNET_ENVIRONMENT") + ?? "Development"; + var isDevelopment = string.Equals(env, "Development", StringComparison.OrdinalIgnoreCase); + + if (string.IsNullOrEmpty(adminPassword)) + { + if (!isDevelopment) + { + throw new InvalidOperationException( + "CRITICAL SECURITY ERROR: Admin password is NOT configured! " + + "In non-Development environments (e.g. Test/Production), the admin password must be explicitly set " + + "via configuration ('Nexus:AdminPassword' or 'NEXUS_ADMIN_PASSWORD') or environment variables. " + + "Seeding aborted to prevent insecure credentials fallback."); + } + + Console.WriteLine("[Seeder] WARNING: Admin password is not set. Falling back to default weak password 'Admin123!' in Development environment."); + adminPassword = "Admin123!"; + } + adminUser.PasswordHash = passwordHasher.HashPassword(adminUser, adminPassword); dbContext.Users.Add(adminUser);