Oleksandr Bezdieniezhnykh
491993f9c1
AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106). Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384 hashes detected by prefix and lazily re-hashed on next successful login. Verify uses CryptographicOperations.FixedTimeEquals on both formats. AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core RateLimiter, 10/60s default — production-tight) plus DB-backed per-account limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users row. Adds a generic audit_events table with INSERT/SELECT-only grants for the app role so the per-account count is queryable and admins cannot erase their own forensic trail. BusinessExceptionHandler maps AccountLocked to 423 and LoginRateLimited to 429, both with Retry-After. AZ-538 — drop the http://admin.azaion.com origin from CORS, gate UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload). Test infra: Npgsql in the e2e project + a DbHelper for direct DB inspection used by the AZ-536/537 ACs. appsettings.Development.json raises PerIpPermitLimit to 1000 so the suite (~270 logins from one container IP) doesn't false-trip the limiter. Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production). Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low. See _docs/03_implementation/reviews/batch_01_cycle2_review.md. Closes AZ-530 epic batch 1 of 4. Co-authored-by: Cursor <cursoragent@cursor.com>
Azaion Admin API — black-box E2E tests
Run (Docker)
From the repository root:
docker compose -f docker-compose.test.yml up --build --abort-on-container-exit --exit-code-from e2e-consumer
Reports are written to e2e/test-results/ on the host (results.trx, results.xunit.xml).
Database bootstrap
The stock Postgres entrypoint runs every file in /docker-entrypoint-initdb.d/ against POSTGRES_DB only. The scripts under env/db/ expect different databases (postgres vs azaion), so e2e/db-init/00_run_all.sh runs 01_permissions.sql on postgres, then 02_structure.sql, 03_add_timestamp_columns.sql, and 99_test_seed.sql on azaion. The compose file uses POSTGRES_USER=postgres so 01_permissions.sql can create roles and the azaion database as written.
99_test_seed.sql sets azaion_admin / azaion_reader passwords to test_password (matching the API connection strings) and updates seed user password hashes for Admin1234 and Upload1234.
Local dotnet test (without Docker)
appsettings.test.json targets http://system-under-test:8080. Running tests on the host will fail fixture setup unless you override ApiBaseUrl (for example via environment variables) and run the API plus Postgres yourself.