711480f8f6
This pull request introduces the dedicated containerized infrastructure and configuration for deploying NexusReader's beta version in the Test environment. ### Summary of Changes 1. **Docker Infrastructure & Secrets**: - **`docker-compose.test.yml`**: Configured dedicated database and auxiliary services (PostgreSQL 17, Qdrant, Neo4j) on isolated, non-standard ports to ensure zero conflict with the existing server configurations. - **`.env.test.template`**: Provided an environment variable template showing required setups, including mandatory database passwords, API keys, and admin custom passwords. - **`.gitignore`**: Excluded local `.env` files to prevent accidental commits of production or staging secrets. 2. **Database Hardening**: - Configured Neo4j with basic authentication (`IDriver` instantiation uses basic auth when credentials are provided in configuration). - Configured PostgreSQL to use mandatory authentication. - Configured the admin seeder (`DbInitializer.cs`) to dynamically use `NEXUS_ADMIN_PASSWORD` from environment variables, falling back to a default password in local Development only. 3. **Feature-Flagged Restrictions**: - **`appsettings.Test.json`**: Implemented `Features:AllowRegistration` and `Features:AllowPasswordReset` flags set to `false`. - **Middleware Enforcement (`Program.cs`)**: Intercepts requests to `/identity/register` and `/identity/forgotPassword` (and their MVC/form variations) and rejects them with a `403 Forbidden` response in restricted environments. - **OAuth Provisioning Guard (`Program.cs`)**: Blocks new account provisioning via Google OAuth callback by checking the `Features:AllowRegistration` configuration, redirecting users to the login page with a descriptive error. - **UI Protection (`Login.razor`, `Register.razor`)**: Conditionally hides registration/password reset links and intercepts manual navigation attempts to `/account/register` by redirecting to login with a warning. --------- Co-authored-by: Marek Jasiński <jasins.marek@gmail.com> Reviewed-on: #56 Co-authored-by: Antigravity <antigravity@google.com> Co-committed-by: Antigravity <antigravity@google.com>
42 lines
1.1 KiB
Bash
42 lines
1.1 KiB
Bash
# ===================================================================
|
|
# NexusReader — Test Environment Variables
|
|
# ===================================================================
|
|
# Copy this file to `.env` and fill in the values before deployment:
|
|
# cp .env.test.template .env
|
|
#
|
|
# Then deploy with:
|
|
# docker compose -f docker-compose.test.yml up -d --build
|
|
# ===================================================================
|
|
|
|
# === PostgreSQL ===
|
|
POSTGRES_USER=nexus_user
|
|
POSTGRES_PASSWORD=CHANGE_ME_TO_STRONG_PASSWORD
|
|
POSTGRES_DB=nexus_test_db
|
|
POSTGRES_PORT=5433
|
|
|
|
# === Neo4j ===
|
|
NEO4J_USERNAME=neo4j
|
|
NEO4J_PASSWORD=CHANGE_ME_TO_STRONG_PASSWORD
|
|
|
|
# === Qdrant (leave empty to disable API key auth) ===
|
|
QDRANT_API_KEY=
|
|
|
|
# === Web App ===
|
|
WEB_PORT=5050
|
|
|
|
# === Google OAuth (placeholder for test) ===
|
|
GOOGLE_CLIENT_ID=placeholder
|
|
GOOGLE_CLIENT_SECRET=placeholder
|
|
|
|
# === Gemini AI (placeholder for test) ===
|
|
GOOGLE_AI_API_KEY=placeholder
|
|
|
|
# === Admin Seed Password ===
|
|
NEXUS_ADMIN_PASSWORD=CHANGE_ME
|
|
|
|
# === Non-standard ports for auxiliary services ===
|
|
QDRANT_HTTP_PORT=6343
|
|
QDRANT_GRPC_PORT=6344
|
|
NEO4J_HTTP_PORT=7484
|
|
NEO4J_BOLT_PORT=7697
|