azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 11:11:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
491993f9c1e8d6cffcd08eb1ff575aad378f502f
admin/e2e/Azaion.E2E/Helpers/TestFixture.cs
T
Oleksandr Bezdieniezhnykh 491993f9c1
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-536] [AZ-537] [AZ-538] Argon2id, login rate limit + lockout, CORS https-only 
AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106).
Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384
hashes detected by prefix and lazily re-hashed on next successful login.
Verify uses CryptographicOperations.FixedTimeEquals on both formats.

AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core
RateLimiter, 10/60s default — production-tight) plus DB-backed per-account
limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users
row. Adds a generic audit_events table with INSERT/SELECT-only grants for
the app role so the per-account count is queryable and admins cannot erase
their own forensic trail. BusinessExceptionHandler maps AccountLocked to
423 and LoginRateLimited to 429, both with Retry-After.

AZ-538 — drop the http://admin.azaion.com origin from CORS, gate
UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload).

Test infra: Npgsql in the e2e project + a DbHelper for direct DB
inspection used by the AZ-536/537 ACs. appsettings.Development.json
raises PerIpPermitLimit to 1000 so the suite (~270 logins from one
container IP) doesn't false-trip the limiter.

Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct
client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production).

Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low.
See _docs/03_implementation/reviews/batch_01_cycle2_review.md.

Closes AZ-530 epic batch 1 of 4.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 04:52:31 +03:00

78 lines
2.9 KiB
C#
Raw Blame History

using System.ComponentModel.DataAnnotations;
using System.Net.Http.Headers;
using Microsoft.Extensions.Configuration;
using Xunit;
namespace Azaion.E2E.Helpers;
public sealed class TestSettings
{
[Required] public string ApiBaseUrl { get; init; } = null!;
[Required] public string AdminEmail { get; init; } = null!;
[Required] public string AdminPassword { get; init; } = null!;
[Required] public string UploaderEmail { get; init; } = null!;
[Required] public string UploaderPassword { get; init; } = null!;
[Required] public string JwtSecret { get; init; } = null!;
[Required] public string TestDbConnectionString { get; init; } = null!;
}
public sealed class TestFixture : IAsyncLifetime
{
public HttpClient HttpClient { get; private set; } = null!;
public string AdminToken { get; private set; } = "";
public TestSettings Settings { get; private set; } = null!;
public string AdminEmail => Settings.AdminEmail;
public string AdminPassword => Settings.AdminPassword;
public string UploaderEmail => Settings.UploaderEmail;
public string UploaderPassword => Settings.UploaderPassword;
public string JwtSecret => Settings.JwtSecret;
public DbHelper Db { get; private set; } = null!;
public IConfiguration Configuration { get; private set; } = null!;
public async Task InitializeAsync()
{
Configuration = new ConfigurationBuilder()
.SetBasePath(AppContext.BaseDirectory)
.AddJsonFile("appsettings.test.json", optional: false)
.AddEnvironmentVariables()
.Build();
Settings = Configuration.Get<TestSettings>()
?? throw new InvalidOperationException("Failed to bind TestSettings from configuration.");
Validator.ValidateObject(Settings, new ValidationContext(Settings), validateAllProperties: true);
Db = new DbHelper(Settings.TestDbConnectionString);
var baseUri = new Uri(Settings.ApiBaseUrl, UriKind.Absolute);
HttpClient = new HttpClient { BaseAddress = baseUri, Timeout = TimeSpan.FromMinutes(5) };
using var loginClient = CreateApiClient();
AdminToken = await loginClient.LoginAsync(AdminEmail, AdminPassword).ConfigureAwait(false);
HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AdminToken);
}
public Task DisposeAsync()
{
HttpClient.Dispose();
return Task.CompletedTask;
}
public ApiClient CreateApiClient()
{
var client = new HttpClient { BaseAddress = new Uri(Settings.ApiBaseUrl, UriKind.Absolute), Timeout = TimeSpan.FromMinutes(5) };
return new ApiClient(client, disposeClient: true);
}
public ApiClient CreateAuthenticatedClient(string token)
{
var api = CreateApiClient();
api.SetAuthToken(token);
return api;
}
}
[CollectionDefinition("E2E")]
public sealed class E2ECollection : ICollectionFixture<TestFixture>
{
}
Reference in New Issue View Git Blame Copy Permalink