Merge pull request 'Hardened certificate loading' (#129) from dataprotection into master

Reviewed-on: #129

LiteCharms.Abstractions/LiteCharms.Abstractions.csproj

@@ -0,0 +1,40 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <SignAssembly>True</SignAssembly>
+    <AssemblyOriginatorKeyFile>..\LiteCharms.snk</AssemblyOriginatorKeyFile>
+  </PropertyGroup>
+
+  <!-- Nuget Package Details -->
+  <PropertyGroup>
+    <PackageId>LiteCharms.Abstractions</PackageId>
+    <Version>1.0.20</Version>
+    <Authors>Khwezi Mngoma</Authors>
+    <Company>Lite Charms (PTY) Ltd</Company>
+    <Description>Shared abstractions for Lite Charms applications.</Description>
+    <PackageProjectUrl>https://gitea.khongisa.co.za/litecharms/components</PackageProjectUrl>
+    <RepositoryUrl>https://gitea.khongisa.co.za/litecharms/components.git</RepositoryUrl>
+    <RepositoryType>git</RepositoryType>
+    <PackageLicenseFile>LICENSE</PackageLicenseFile>
+    <PackageTags>utility;dotnet</PackageTags>
+    <PackageIcon>icon.png</PackageIcon>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Include="..\LICENSE" Pack="true" PackagePath="\" />
+    <None Include="..\icon.png" Pack="true" PackagePath="\" />
+  </ItemGroup>
+  
+  <ItemGroup>
+    <PackageReference Include="FluentResults" Version="4.0.0" />
+    <PackageReference Include="Mediator.Abstractions" Version="3.0.2" />
+
+    <Using Include="Mediator" />
+    <Using Include="FluentResults" />
+    <Using Include="System.Threading.Channels" />
+  </ItemGroup>
+
+</Project>

LiteCharms.Entities/LiteCharms.Entities.csproj

@@ -0,0 +1,45 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <SignAssembly>True</SignAssembly>
+    <AssemblyOriginatorKeyFile>..\LiteCharms.snk</AssemblyOriginatorKeyFile>
+  </PropertyGroup>
+
+  <!-- Nuget Package Details -->
+  <PropertyGroup>
+    <PackageId>LiteCharms.Entities</PackageId>
+    <Version>1.0.20</Version>
+    <Authors>Khwezi Mngoma</Authors>
+    <Company>Lite Charms (PTY) Ltd</Company>
+    <Description>Shared entities for Lite Charms applications.</Description>
+    <PackageProjectUrl>https://gitea.khongisa.co.za/litecharms/components</PackageProjectUrl>
+    <RepositoryUrl>https://gitea.khongisa.co.za/litecharms/components.git</RepositoryUrl>
+    <RepositoryType>git</RepositoryType>
+    <PackageLicenseFile>LICENSE</PackageLicenseFile>
+    <PackageTags>utility;dotnet</PackageTags>
+    <PackageIcon>icon.png</PackageIcon>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Include="..\LICENSE" Pack="true" PackagePath="\"/>
+    <None Include="..\icon.png" Pack="true" PackagePath="\" />
+  </ItemGroup>
+
+  <!-- Database -->
+  <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.7" />    
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="10.0.7" />    
+
+    <!-- Global Usings -->    
+    <Using Include="Microsoft.EntityFrameworkCore" />
+    <Using Include="Microsoft.EntityFrameworkCore.Metadata.Builders" />
+  </ItemGroup>
+
+  <ItemGroup>
+    <ProjectReference Include="..\LiteCharms.Models\LiteCharms.Models.csproj" />
+  </ItemGroup>
+
+</Project>

LiteCharms.Features.MidrandBooks.Seed/LiteCharms.Features.MidrandBooks.Seed.csproj

@@ -11,7 +11,7 @@
   <!-- Quartz Scheduler-->
   <ItemGroup>
     <PackageReference Include="Bogus" Version="35.6.5" />
-    <PackageReference Include="Meziantou.Analyzer" Version="3.0.102">
+    <PackageReference Include="Meziantou.Analyzer" Version="3.0.103">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
@@ -116,8 +116,8 @@
 
   <!-- Amazon S3 SDK -->
   <ItemGroup>
-    <PackageReference Include="AWSSDK.Extensions.NetCore.Setup" Version="4.0.4.6" />
+    <PackageReference Include="AWSSDK.Extensions.NetCore.Setup" Version="4.0.4.7" />
-    <PackageReference Include="AWSSDK.S3" Version="4.0.24.3" />
+    <PackageReference Include="AWSSDK.S3" Version="4.0.24.4" />
     <ProjectReference Include="..\LiteCharms.Features\LiteCharms.Features.csproj" />
 
     <!-- global Usings -->

LiteCharms.Features.MidrandBooks/AuthorBooks/BooksService.cs

@@ -58,6 +58,30 @@ public sealed class BooksService(IDbContextFactory<MidrandBooksDbContext> contex
         }
     }
 
+    public async ValueTask<Result<AuthorBook>> GetBookByProductIdAsync(long productId, CancellationToken cancellationToken = default)
+    {
+        try
+        {
+            await using var context = await contextFactory.CreateDbContextAsync(cancellationToken);
+
+            var book = await context.Books
+                .AsNoTracking()
+                .Include(b => b.Author)
+                .Include(b => b.Product)
+                    .ThenInclude(b => b!.Prices)
+                .Include(b => b.Pages)
+                .FirstOrDefaultAsync(b => b.ProductId == productId, cancellationToken);
+
+            return book is null
+                ? Result.Fail<AuthorBook>(new Error($"Book with product ID {productId} not found"))
+                : Result.Ok(book.ToModel());
+        }
+        catch (Exception ex)
+        {
+            return Result.Fail<AuthorBook>(new Error(ex.Message).CausedBy(ex));
+        }
+    }
+
     public async ValueTask<Result<AuthorBook>> GetBookAsync(long bookId, CancellationToken cancellationToken = default)
     {
         try

LiteCharms.Features.MidrandBooks/Customers/CustomerService.cs

@@ -334,6 +334,28 @@ public sealed class CustomerService(IDbContextFactory<MidrandBooksDbContext> con
         }
     }
 
+    public async ValueTask<Result<Customer>> GetCustomerAsync(string email, CancellationToken cancellationToken = default)
+    {
+        try
+        {
+            await using var context = await contextFactory.CreateDbContextAsync(cancellationToken);
+
+            var customer = await context.Customers
+                .AsNoTracking()
+                .Include(c => c.Contacts)
+                .Include(c => c.Addresses)
+                .FirstOrDefaultAsync(c => c.Email == email, cancellationToken);
+
+            return customer is not null
+                ? Result.Ok(customer.ToModel())
+                : Result.Fail<Customer>(new Error($"Customer with email '{email}' does not exist."));
+        }
+        catch (Exception ex)
+        {
+            return Result.Fail<Customer>(new Error(ex.Message).CausedBy(ex));
+        }
+    }
+
     public async ValueTask<Result<Customer>> GetCustomerAsync(long customerId, CancellationToken cancellationToken = default)
     {
         try

LiteCharms.Features.MidrandBooks/Customers/Entities/CustomerConfiguration.cs

@@ -12,8 +12,8 @@ public sealed class CustomerConfiguration : IEntityTypeConfiguration<Customer>
         builder.Property(c => c.Company).IsRequired(false);
         builder.Property(c => c.VatNumber).IsRequired(false);
         builder.Property(c => c.Email).IsRequired();
-        builder.Property(c => c.Phone).IsRequired();
+        builder.Property(c => c.Phone).IsRequired(false);
-        builder.Property(c => c.Website).IsRequired();
+        builder.Property(c => c.Website).IsRequired(false);
         builder.Property(c => c.Enabled).HasDefaultValue(true);
 
         builder.OwnsMany(f => f.SocialMedia, b => { b.ToJson(); });

LiteCharms.Features.MidrandBooks/Extensions/Shop.cs

@@ -1,11 +1,12 @@
 using LiteCharms.Features.Abstractions;
+using LiteCharms.Features.Browser;
 using LiteCharms.Features.MidrandBooks.Abstractions;
 
 namespace LiteCharms.Features.MidrandBooks.Extensions;
 
 public static class Shop
 {
-    public static IServiceCollection AddShopServices(this IServiceCollection services)
+    public static IServiceCollection AddShopServices(this IServiceCollection services, bool includeLocalStorage = false)
     {
         var serviceType = typeof(IService);
 
@@ -19,6 +20,9 @@ public static class Shop
 
         foreach (var coreImplementation in coreImplementations) services.AddScoped(coreImplementation);
 
+        if (includeLocalStorage)
+            services.AddScoped<LocalStorageService>();
+
         return services;
     }
 }

LiteCharms.Features.MidrandBooks/LiteCharms.Features.MidrandBooks.csproj

@@ -32,7 +32,7 @@
   <!-- Quartz Scheduler-->
   <ItemGroup>
     <PackageReference Include="Humanizer" Version="3.0.10" />
-    <PackageReference Include="Meziantou.Analyzer" Version="3.0.102">
+    <PackageReference Include="Meziantou.Analyzer" Version="3.0.103">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
@@ -136,8 +136,8 @@
 
   <!-- Amazon S3 SDK -->
   <ItemGroup>
-    <PackageReference Include="AWSSDK.Extensions.NetCore.Setup" Version="4.0.4.6" />
+    <PackageReference Include="AWSSDK.Extensions.NetCore.Setup" Version="4.0.4.7" />
-    <PackageReference Include="AWSSDK.S3" Version="4.0.24.3" />
+    <PackageReference Include="AWSSDK.S3" Version="4.0.24.4" />
     <ProjectReference Include="..\LiteCharms.Features\LiteCharms.Features.csproj" />
 
     <!-- global Usings -->
@@ -148,6 +148,7 @@
 
   <!-- Shared Usings -->
   <ItemGroup>
+    <Using Include="Microsoft.AspNetCore.Http" />
     <Using Include="System.Net.Sockets" />
     <Using Include="System.Text.RegularExpressions" />
     <Using Include="System.Web" />

LiteCharms.Features.MidrandBooks/Orders/OrderService.cs

@@ -164,6 +164,27 @@ public sealed class OrderService(IDbContextFactory<MidrandBooksDbContext> contex
     public async ValueTask<Result> CancelOrderAsync(long orderId, CancellationToken cancellationToken = default) =>
         await UpdateOrderStatusAsync(orderId, OrderStatus.Cancelled, cancellationToken);
 
+    public async ValueTask<Result<Order>> GetPendingOrderAsync(long customerId, CancellationToken cancellationToken = default)
+    {
+        try
+        {
+            await using var context = await contextFactory.CreateDbContextAsync(cancellationToken);
+
+            var order = await context.Orders.AsNoTracking()
+                .Where(o => o.Status == OrderStatus.Pending && o.CustomerId == customerId)
+                .OrderByDescending(o => o.Id)
+                .FirstOrDefaultAsync(cancellationToken);
+
+            return order is not null
+                ? Result.Ok(order.ToModel())
+                : Result.Fail<Order>("Order not found.");
+        }
+        catch (Exception ex)
+        {
+            return Result.Fail<Order>(new Error(ex.Message).CausedBy(ex));
+        }
+    }
+
     public async ValueTask<Result<Order>> GetOrderAsync(long orderId, CancellationToken cancellationToken = default)
     {
         try

LiteCharms.Features.MidrandBooks/Payments/CartService.cs

@@ -1,5 +1,4 @@
-using LiteCharms.Features.Abstractions;
+using LiteCharms.Features.Browser;
-using LiteCharms.Features.Browser;
 using LiteCharms.Features.Hasher;
 using LiteCharms.Features.MidrandBooks.Authors.Models;
 using LiteCharms.Features.MidrandBooks.Payments.Models;
@@ -7,7 +6,7 @@ using LiteCharms.Features.MidrandBooks.Products.Models;
 
 namespace LiteCharms.Features.MidrandBooks.Payments;
 
-public sealed class CartService(LocalStorageService localStorage) : IService
+public sealed class CartService(LocalStorageService localStorage)
 {
     private readonly string CartStorageKey = HashService.ToMd5Hash(nameof(Cart)).Value;
 

LiteCharms.Features.MidrandBooks/Payments/Events/Handlers/PayfastPaymentConfirmationReceivedEventHandler.cs

@@ -1,16 +1,13 @@
 using LiteCharms.Features.Hasher;
-using LiteCharms.Features.Hasher.Configuration;
 using LiteCharms.Features.Mediator;
 using LiteCharms.Features.MidrandBooks.Orders;
 using LiteCharms.Features.MidrandBooks.Payments.Models;
 
 namespace LiteCharms.Features.MidrandBooks.Payments.Events.Handlers;
 
-public sealed class PayfastPaymentConfirmationReceivedEventHandler(IServiceProvider services, IOptions<HasherSettings> hasherOptions, ILogger<PayfastPaymentConfirmationReceivedEvent> logger) :
+public sealed class PayfastPaymentConfirmationReceivedEventHandler(IServiceProvider services, ILogger<PayfastPaymentConfirmationReceivedEvent> logger) :
     INotificationHandler<PayfastPaymentConfirmationReceivedEvent>
 {
-    private readonly HasherSettings hasherSettings = hasherOptions.Value;
-
     public async ValueTask Handle(PayfastPaymentConfirmationReceivedEvent notification, CancellationToken cancellationToken)
     {
         using var activity = MediatorTelemetry.Source.StartActivity($"Quartz: {typeof(PayfastPaymentConfirmationReceivedEvent).Name}");
@@ -22,83 +19,34 @@ public sealed class PayfastPaymentConfirmationReceivedEventHandler(IServiceProvi
         var paymentService = scope.ServiceProvider.GetRequiredService<PaymentService>();
         var payfastService = scope.ServiceProvider.GetRequiredService<PayfastService>();
 
-        var payload = notification.Payload ?? throw new Exception("Payload metadata context context is null.");
+        var payload = notification.Payload ?? throw new Exception("Payload metadata context is null.");
 
-        var dict = payload.ToParamDictionary();
+        var hashResult = hashService.DecodeLongIdHash(payload.MerchantPaymentId!);
-        var localSignature = PayfastService.GenerateSignature(dict, hasherSettings.PayfastPassphrase);
+        if (hashResult.IsFailed) throw new Exception("Failed to decode application tracking hash key identifier.");
 
-        if (localSignature.IsFailed)
+        var orderResult = await orderService.GetOrderAsync(hashResult.Value, cancellationToken);
-            throw new Exception("Failed to generate local signature for incoming webhook payload.");
+        if (orderResult.IsFailed) throw new Exception("Target system order entity context cannot be traced.");
 
-        if (!string.Equals(localSignature.Value, payload.Signature, StringComparison.OrdinalIgnoreCase))
+        var paymentResult = await paymentService.GetOrderPaymentAsync(orderResult.Value.Id, cancellationToken);
+        if (paymentResult.IsFailed) throw new Exception("Target payment ledger entity cannot be resolved.");
+
+        var isAlreadyProcessed = await paymentService.HasLedgerEntryAsync(orderResult.Value.Id, paymentResult.Value.Id, cancellationToken);
+        if (isAlreadyProcessed.Value)
         {
-            logger.LogCritical("Incoming webhook signature verification failed. Possible payload tampering.");
+            logger.LogWarning("Webhook reference token '{Ref}' already verified. Skipping processing routines.", payload.MerchantPaymentId);
 
             return;
         }
 
-        var hashResult = hashService.DecodeLongIdHash(payload.MerchantPaymentId!);
+        var isAmountValid = payfastService.ValidatePaymentAmount(orderResult.Value.Total, payload.AmountGross);
-
+        if (!isAmountValid.Value)
-        if (hashResult.IsFailed) throw new Exception("Failed to decode application tracking hash key identifier.");
+            throw new Exception("Security validation exception: Transaction cost variance bounds breached (Price Tampering Detected).");
-
-        var orderResult = await orderService.GetOrderAsync(hashResult.Value, cancellationToken);
-
-        if (orderResult.IsFailed) throw new Exception("Target system order entity context cannot be traced.");
-
-        var paymentResult = await paymentService.GetOrderPaymentAsync(orderResult.Value.Id, cancellationToken);
-
-        if (paymentResult.IsFailed) throw new Exception("Target payment ledger entity cannot be resolved.");
 
         decimal.TryParse(payload.AmountGross, CultureInfo.InvariantCulture, out var gross);
         decimal.TryParse(payload.AmountFee, CultureInfo.InvariantCulture, out var fee);
         decimal.TryParse(payload.AmountNet, CultureInfo.InvariantCulture, out var net);
         string status = payload.PaymentStatus ?? "UNKNOWN";
 
-        var isAlreadyProcessed = await paymentService.HasLedgerEntryAsync(orderResult.Value.Id, paymentResult.Value.Id, cancellationToken);
-
-        if (isAlreadyProcessed.Value)
-        {
-            logger.LogWarning("Webhook reference token '{Ref}' already verified. Skipping validation routines.", payload.MerchantPaymentId);
-
-            return;
-        }
-
-        if (notification.PerformBackgroundChecks)
-        {
-            var isHostValid = await payfastService.ValidateReferrerIpAsync(notification.RemoteIpAddress!, notification.AllowLoopback, cancellationToken);
-
-            if (isHostValid.IsFailed)
-                throw new Exception("Security validation exception: Webhook packet source address failed cluster validation checks.");
-
-            if (!isHostValid.Value)
-                throw new Exception("Security validation exception: Webhook packet source address failed cluster validation checks.");
-
-            var isAmountValid = payfastService.ValidatePaymentAmount(orderResult.Value.Total, payload.AmountGross);
-
-            if (!isAmountValid.Value)
-                throw new Exception("Security validation exception: Transaction cost variance bounds breached.");
-
-            var paramList = new List<string>();
-
-            foreach (var kvp in dict)
-            {
-                if (!string.IsNullOrEmpty(kvp.Value))
-                {
-                    string encoded = HttpUtility.UrlEncode(kvp.Value.Trim());
-
-                    string safeValue = PayfastService.PercentEncodingRegex.Replace(encoded, m => m.Value.ToLowerInvariant());
-                    paramList.Add($"{kvp.Key}={safeValue}");
-                }
-            }
-
-            string rawParamString = string.Join("&", paramList);
-
-            var serverConfirmation = await payfastService.ValidateServerConfirmationAsync(rawParamString, isSandbox: true, cancellationToken);
-
-            if (serverConfirmation.IsFailed)
-                throw new Exception("Security validation exception: Payfast central handshake server rejected payload legitimacy.");
-        }
-
         await payfastService.WriteLedgerEntryAsync(new CreateGatewayLedgerEntry
         {
             OrderId = orderResult.Value.Id,
@@ -118,47 +66,39 @@ public sealed class PayfastPaymentConfirmationReceivedEventHandler(IServiceProvi
             {
                 OrderId = orderResult.Value.Id,
                 PaymentId = paymentResult.Value.Id,
-                PaymentGatewayReference = payload.PaymentId!,
+                PaymentGatewayReference = payload.MerchantPaymentId!,
                 Status = LedgerStatuses.Completed,
                 CustomerId = orderResult.Value.CustomerId,
             }, cancellationToken);
 
-            if (ledgerWriteResult.IsFailed)
+            if (ledgerWriteResult.IsFailed) throw new Exception("Failed to write ledger entry for payment confirmation.");
-                throw new Exception("Failed to write ledger entry for payment confirmation.");
 
             var completePaymentResult = await paymentService.CompletePaymentAsync(paymentResult.Value.Id, PaymentStatuses.Paid, cancellationToken);
-
+            if (completePaymentResult.IsFailed) throw new Exception("Failed to update payment status to 'Paid'.");
-            if (completePaymentResult.IsFailed)
-                throw new Exception("Failed to update payment status to 'Paid' for payment confirmation.");
 
             var updateOrderResult = await orderService.UpdateOrderStatusAsync(orderResult.Value.Id, OrderStatus.Completed, cancellationToken);
-
+            if (updateOrderResult.IsFailed) throw new Exception("Failed to update order status to 'Completed'.");
-            if (updateOrderResult.IsFailed)
-                throw new Exception("Failed to update order status to 'Completed' for payment confirmation.");
 
             logger.LogInformation("Order payment verified secure and cleared successfully.");
         }
         else
         {
-            LedgerStatuses ledgerStatus;
+            LedgerStatuses ledgerStatus = status.Equals("CANCELLED", StringComparison.OrdinalIgnoreCase)
+                ? LedgerStatuses.Cancelled
+                : LedgerStatuses.Failed;
 
-            if (status.Equals("CANCELLED", StringComparison.OrdinalIgnoreCase))
+            await paymentService.WriteLedgerEntryAsync(new CreateLedgerEntry
-                ledgerStatus = LedgerStatuses.Cancelled;
-            else
-                ledgerStatus = LedgerStatuses.Failed;
-
-            var ledgerWriteResult = await paymentService.WriteLedgerEntryAsync(new CreateLedgerEntry
             {
                 OrderId = orderResult.Value.Id,
                 PaymentId = paymentResult.Value.Id,
-                PaymentGatewayReference = payload.PaymentId!,
+                PaymentGatewayReference = payload.MerchantPaymentId!,
                 Status = ledgerStatus,
                 CustomerId = orderResult.Value.CustomerId,
             }, cancellationToken);
 
-            logger.LogInformation("Webhook validation pipeline passed checks successfully, logged entry to ledger with status: {Status}", status);
+            logger.LogInformation("Webhook pipeline logged non-success entry to ledger with status: {Status}", status);
         }
-        activity?.SetStatus(ActivityStatusCode.Ok);
 
+        activity?.SetStatus(ActivityStatusCode.Ok);
     }
 }

LiteCharms.Features.MidrandBooks/Payments/PayfastService.cs

@@ -1,4 +1,5 @@
 using LiteCharms.Features.Abstractions;
+using LiteCharms.Features.Api.Configuration;
 using LiteCharms.Features.Hasher;
 using LiteCharms.Features.MidrandBooks.Payments.Models;
 using LiteCharms.Features.MidrandBooks.Postgres;
@@ -6,13 +7,11 @@ using LiteCharms.Features.MidrandBooks.Postgres;
 namespace LiteCharms.Features.MidrandBooks.Payments;
 
 public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbContext> contextFactory, 
-    ILogger<PayfastService> logger, IHttpClientFactory httpClientFactory, IConfiguration configuration) : IService
+    IOptions<PayfastSettings> payfastOptions, ILogger<PayfastService> logger, IHttpClientFactory httpClientFactory) : IService
 {
     [GeneratedRegex(@"%[0-9A-Fa-f]{2}", RegexOptions.None, matchTimeoutMilliseconds: 1000)]
     public static partial Regex PercentEncodingRegex { get; }
 
-    public readonly string[] ValidHosts = configuration.GetSection("ValidPayfastHosts").Get<string[]>() ?? [];
-
     public async ValueTask<Result<long>> WriteLedgerEntryAsync(CreateGatewayLedgerEntry request, CancellationToken cancellationToken = default)
     {
         try
@@ -49,8 +48,44 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
         }
     }
 
+    public static bool VerifyIncomingSignatureFromForm(IFormCollection formCollection, string passphrase)
+    {
+        var sortedFields = new Dictionary<string, string>(StringComparer.Ordinal);
+
+        foreach (var field in formCollection)
+        {
+            sortedFields.Add(field.Key, field.Value.ToString());
+        }
+
+        if (!sortedFields.TryGetValue("signature", out var incomingSignature)) return false;
+
+        var stringBuilder = new StringBuilder();
+
+        foreach (var key in sortedFields.Keys)
+        {
+            if (key.Equals("signature", StringComparison.OrdinalIgnoreCase)) continue;
+
+            string encodedVal = HttpUtility.UrlEncode(sortedFields[key].Trim());
+            string cleanVal = PercentEncodingRegex.Replace(encodedVal, m => m.Value.ToUpperInvariant());
+
+            stringBuilder.Append($"{key}={cleanVal}&");
+        }
+
+        string encodedPassphrase = HttpUtility.UrlEncode(passphrase.Trim());
+        string safePassphrase = PercentEncodingRegex.Replace(encodedPassphrase, m => m.Value.ToUpperInvariant());
+
+        stringBuilder.Append($"passphrase={safePassphrase}");
+
+        string generatedSignature = HashService.ToMd5Hash(stringBuilder.ToString()).Value;
+
+        return incomingSignature.Equals(generatedSignature, StringComparison.OrdinalIgnoreCase);
+    }
+
     public async ValueTask<Result<bool>> ValidateReferrerIpAsync(string remoteIpAddress, bool allowLoopback = false, CancellationToken cancellationToken = default)
     {
+        if(payfastOptions.Value?.ValidHosts?.Length == 0)
+            return Result.Fail<bool>("Valid payfast hosts not configured.");
+
         if (string.IsNullOrWhiteSpace(remoteIpAddress)) 
             return Result.Fail<bool>("Remote IP address is null or whitespace.");
 
@@ -58,7 +93,7 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
         {
             var validIps = new HashSet<IPAddress>();
 
-            foreach (var host in ValidHosts)
+            foreach (var host in payfastOptions.Value!.ValidHosts!)
             {
                 try
                 {
@@ -145,33 +180,66 @@ public sealed partial class PayfastService(IDbContextFactory<MidrandBooksDbConte
     {
         var pfOutput = new StringBuilder();
 
-        foreach (var kvp in data)
+        var mandatorySequence = GetPayfastMandatoryFieldSequence();
+
+        foreach (string key in mandatorySequence)
         {
-            if (string.IsNullOrEmpty(kvp.Value))
+            if (data.TryGetValue(key, out string? rawValue) && !string.IsNullOrEmpty(rawValue))
-                continue;
+            {
+                string encodedVal = HttpUtility.UrlEncode(rawValue.Trim());
+                string val = PercentEncodingRegex.Replace(encodedVal, m => m.Value.ToUpperInvariant());
 
-            string key = kvp.Key;
+                pfOutput.Append($"{key}={val}&");
-
+            }
-            string encodedVal = HttpUtility.UrlEncode(kvp.Value.Trim());
-
-            string val = PercentEncodingRegex.Replace(encodedVal, m => m.Value.ToLowerInvariant());
-
-            pfOutput.Append($"{key}={val}&");
         }
 
-        string getString = pfOutput.Length > 0
+        var getString = pfOutput.Length > 0
             ? pfOutput.ToString()[..^1]
             : string.Empty;
 
         if (!string.IsNullOrWhiteSpace(passPhrase))
         {
             string encodedPassphrase = HttpUtility.UrlEncode(passPhrase.Trim());
-
+            string safePassphrase = PercentEncodingRegex.Replace(encodedPassphrase, m => m.Value.ToUpperInvariant());
-            string safePassphrase = PercentEncodingRegex.Replace(encodedPassphrase, m => m.Value.ToLowerInvariant());
 
             getString += $"&passphrase={safePassphrase}";
         }
 
         return HashService.ToMd5Hash(getString);
-    }    
+    }
+
+    private static string[] GetPayfastMandatoryFieldSequence() =>
+        [
+            "merchant_id",
+            "merchant_key",
+            "return_url",
+            "cancel_url",
+            "notify_url",
+            "name_first",
+            "name_last",
+            "email_address",
+            "cell_number",
+            "m_payment_id",
+            "amount",
+            "item_name",
+            "item_description",
+            "custom_int1",
+            "custom_int2",
+            "custom_int3",
+            "custom_int4",
+            "custom_int5",
+            "custom_str1",
+            "custom_str2",
+            "custom_str3",
+            "custom_str4",
+            "custom_str5",
+            "email_confirmation",
+            "confirmation_address",
+            "payment_method",
+            "subscription_type",
+            "billing_date",
+            "recurring_amount",
+            "frequency",
+            "cycles"
+        ];
 }

LiteCharms.Features.MidrandBooks/Payments/PaymentService.cs

@@ -123,8 +123,7 @@ public sealed class PaymentService(IDbContextFactory<MidrandBooksDbContext> cont
             await using var context = await contextFactory.CreateDbContextAsync(cancellationToken);
 
             var exists = await context.Ledger.AnyAsync(l =>
-                l.OrderId == orderId &&
+                l.OrderId == orderId && l.PaymentId == paymentId && l.Status == LedgerStatuses.Completed, cancellationToken);
-                l.PaymentId == paymentId, cancellationToken);
 
             return Result.Ok(exists);
         }
@@ -162,7 +161,8 @@ public sealed class PaymentService(IDbContextFactory<MidrandBooksDbContext> cont
                 CustomerId = request.CustomerId,
                 OrderId = request.OrderId,
                 PaymentId = request.PaymentId,
-                Status = request.Status,
+                MerchantPaymentId = request.PaymentGatewayReference,
+                Status = request.Status,                
             });
 
             return await context.SaveChangesAsync(cancellationToken) > 0

LiteCharms.Features.MidrandBooks/Postgres/Migrations/20260612210020_OnlyEmailIsMandatoryOnCustomer.cs

@@ -0,0 +1,54 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace LiteCharms.Features.MidrandBooks.Postgres.Migrations
+{
+    /// <inheritdoc />
+    public partial class OnlyEmailIsMandatoryOnCustomer : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AlterColumn<string>(
+                name: "Website",
+                table: "Customers",
+                type: "text",
+                nullable: true,
+                oldClrType: typeof(string),
+                oldType: "text");
+
+            migrationBuilder.AlterColumn<string>(
+                name: "Phone",
+                table: "Customers",
+                type: "text",
+                nullable: true,
+                oldClrType: typeof(string),
+                oldType: "text");
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.AlterColumn<string>(
+                name: "Website",
+                table: "Customers",
+                type: "text",
+                nullable: false,
+                defaultValue: "",
+                oldClrType: typeof(string),
+                oldType: "text",
+                oldNullable: true);
+
+            migrationBuilder.AlterColumn<string>(
+                name: "Phone",
+                table: "Customers",
+                type: "text",
+                nullable: false,
+                defaultValue: "",
+                oldClrType: typeof(string),
+                oldType: "text",
+                oldNullable: true);
+        }
+    }
+}

LiteCharms.Features.MidrandBooks/Postgres/Migrations/MidrandBooksDbContextModelSnapshot.cs

@@ -17,7 +17,7 @@ namespace LiteCharms.Features.MidrandBooks.Postgres.Migrations
         {
 #pragma warning disable 612, 618
             modelBuilder
-                .HasAnnotation("ProductVersion", "10.0.8")
+                .HasAnnotation("ProductVersion", "10.0.9")
                 .HasAnnotation("Relational:MaxIdentifierLength", 63);
 
             NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
@@ -309,7 +309,6 @@ namespace LiteCharms.Features.MidrandBooks.Postgres.Migrations
                         .HasDefaultValue(true);
 
                     b.Property<string>("Phone")
-                        .IsRequired()
                         .HasColumnType("text");
 
                     b.Property<DateTime?>("UpdatedAt")
@@ -321,7 +320,6 @@ namespace LiteCharms.Features.MidrandBooks.Postgres.Migrations
                         .HasColumnType("text");
 
                     b.Property<string>("Website")
-                        .IsRequired()
                         .HasColumnType("text");
 
                     b.HasKey("Id");

LiteCharms.Features.TechShop/LiteCharms.Features.TechShop.csproj

@@ -136,8 +136,8 @@
 
   <!-- Amazon S3 SDK -->
   <ItemGroup>
-    <PackageReference Include="AWSSDK.Extensions.NetCore.Setup" Version="4.0.4.6" />
+    <PackageReference Include="AWSSDK.Extensions.NetCore.Setup" Version="4.0.4.7" />
-    <PackageReference Include="AWSSDK.S3" Version="4.0.24.3" />
+    <PackageReference Include="AWSSDK.S3" Version="4.0.24.4" />
     <ProjectReference Include="..\LiteCharms.Features\LiteCharms.Features.csproj" />
 
     <!-- global Usings -->

LiteCharms.Features.Tests.Common/Fixture.cs

@@ -36,6 +36,7 @@ public class Fixture : IDisposable
             .AddHashServices(Configuration)
             .AddLiteCharmsApiSecurity(Configuration)
             .AddSecurityApiSdk(Configuration)
+            .AddPayfastServices(Configuration)
             .BuildServiceProvider(); ;
 
         Mediator = Services.GetRequiredService<IMediator>();

LiteCharms.Features.Tests.Common/LiteCharms.Features.Tests.Common.csproj

@@ -12,11 +12,7 @@
     <PackageReference Include="coverlet.collector" Version="10.0.1">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
-    </PackageReference>
+    </PackageReference>    
-    <PackageReference Include="Mediator.SourceGenerator" Version="3.0.2">
-      <PrivateAssets>all</PrivateAssets>
-      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
-    </PackageReference>
     <PackageReference Include="Microsoft.NET.Test.Sdk" Version="18.6.0" />
     <PackageReference Include="xunit" Version="2.9.3" />
     <PackageReference Include="xunit.runner.visualstudio" Version="3.1.5">

LiteCharms.Features.Tests.Common/appsettings.json

@@ -1,22 +1,23 @@
 {
+  "PayfastSettings": {
+    "CheckoutUrl": "https://sandbox.payfast.co.za/eng/process",
+    "ValidHosts": [
+      "www.payfast.co.za",
+      "sandbox.payfast.co.za",
+      "ips.payfast.co.za",
+      "api.payfast.co.za",
+      "payment.payfast.io"
+    ]
+  },
   "LiteCharmsSettings": {
     "Authority": "https://sts.security.khongisa.co.za",
     "Audience": "midrandbooks-api"
   },
   "LiteCharmsClientSettings": {
-    "Authority": "https://sts.security.khongisa.co.za",    
+    "Authority": "https://sts.security.khongisa.co.za",
     "GrantType": "client_credentials",
     "Scope": "midrandbooks-api"
   },
-  "ValidPayfastHosts": [
-    "www.payfast.co.za",
-    "sandbox.payfast.co.za",
-    "w1w.payfast.co.za",
-    "w2w.payfast.co.za",
-    "ips.payfast.co.za",
-    "api.payfast.co.za",
-    "payment.payfast.io"
-  ],
   "HasherSettings": {
     "MinHashLength": 11
   },

LiteCharms.Features.Tests/LiteCharms.Features.Tests.csproj

@@ -31,6 +31,7 @@
     <Using Include="System.Text" />
     <Using Include="Mediator" />
     <Using Include="Xunit.Abstractions" />
+    <Using Include="Microsoft.Extensions.Options" />
     <Using Include="Microsoft.Extensions.DependencyInjection" />
     <Using Include="Microsoft.Extensions.Configuration" />
   </ItemGroup>

LiteCharms.Features.Tests/PayfastFeatureTests.cs

@@ -0,0 +1,18 @@
+using LiteCharms.Features.Api.Configuration;
+using LiteCharms.Features.Tests.Common;
+
+namespace LiteCharms.Features.Tests;
+
+public sealed class PayfastFeatureTests(Fixture fixture) : IClassFixture<Fixture>
+{
+    private readonly PayfastSettings payfastSettings = fixture.Services.GetRequiredService<IOptions<PayfastSettings>>().Value;
+
+    [IntegrationFact]
+    public void PayfastSettings_ShouldFail_IfNotLoaded()
+    {
+        Assert.NotEmpty(payfastSettings.CheckoutUrl!);
+        Assert.NotEmpty(payfastSettings.MerchantId!);
+        Assert.NotEmpty(payfastSettings.MerchantKey!);
+        Assert.NotEmpty(payfastSettings.Passphrase!);
+    }
+}

LiteCharms.Features.Tests/http/midrandshop-api/http-client.env.json

@@ -0,0 +1,17 @@
+{
+  "payfast-local": {
+    "baseUrl": "https://localhost:7196",
+    "paymentId": "jdPB2zaKM3Z",
+    "signature": "6aeff59bb74f2448ff2c3d81b2ec95de",
+    "item_name": "System Architecture Book",
+    "amount": "350.00"
+  },
+  "payfast-uat": {
+    "baseUrl": "https://api.uat.midrandbooks.co.za",
+    "paymentId": "jdPB2zaKM3Z",
+    "signature": "6aeff59bb74f2448ff2c3d81b2ec95de",
+    "item_name": "System Architecture Book",
+    "amount": "350.00"
+  }
+}
+ 

LiteCharms.Features/Api/Configuration/PayfastSettings.cs

@@ -0,0 +1,14 @@
+namespace LiteCharms.Features.Api.Configuration;
+
+public sealed class PayfastSettings
+{
+    public string? CheckoutUrl { get; set; }
+
+    public string? Passphrase { get; set; }
+
+    public string? MerchantId { get; set; }
+
+    public string? MerchantKey { get; set; }
+
+    public string[]? ValidHosts { get; set; }
+}

LiteCharms.Features/Api/TokenService.cs

@@ -1,11 +1,10 @@
-using LiteCharms.Features.Abstractions;
+using LiteCharms.Features.Api.Configuration;
-using LiteCharms.Features.Api.Configuration;
 using LiteCharms.Features.Api.Models;
 using LiteCharms.Features.Api.Sdk;
 
 namespace LiteCharms.Features.Api;
 
-public sealed class TokenService(IConnectApi connectApi, IOptions<LiteCharmsClientSettings> clientOptions) : IService
+public sealed class TokenService(IConnectApi connectApi, IOptions<LiteCharmsClientSettings> clientOptions)
 {
     private readonly LiteCharmsClientSettings clientSettings = clientOptions.Value;
 

LiteCharms.Features/Browser/LocalStorageService.cs

@@ -1,8 +1,6 @@
-using LiteCharms.Features.Abstractions;
+namespace LiteCharms.Features.Browser;
 
-namespace LiteCharms.Features.Browser;
+public sealed class LocalStorageService(ProtectedLocalStorage storage)
-
-public sealed class LocalStorageService(ProtectedLocalStorage storage) : IService
 {
     public async ValueTask<Result> DeleteAsync(string key)
     {

LiteCharms.Features/Extensions/Api.cs

@@ -2,6 +2,7 @@
 using LiteCharms.Features.Api;
 using LiteCharms.Features.Api.Configuration;
 using LiteCharms.Features.Api.Sdk;
+using LiteCharms.Features.Postgres;
 
 namespace LiteCharms.Features.Extensions;
 
@@ -9,7 +10,16 @@ public static class Api
 {
     public const string Books = nameof(Books);
     public const string Payments = nameof(Payments);
-    
+
+    public static IServiceCollection AddPayfastServices(this IServiceCollection services, IConfiguration configuration)
+    {
+        var configSection = configuration.GetSection(nameof(PayfastSettings));
+
+        services.Configure<PayfastSettings>(configSection);
+
+        return services;
+    }
+
     public static IServiceCollection AddSecurityApiSdk(this IServiceCollection services, IConfiguration configuration)
     {
         var configSection = configuration.GetSection(nameof(LiteCharmsClientSettings));
@@ -37,11 +47,29 @@ public static class Api
                 options.Retry.BackoffType = Polly.DelayBackoffType.Exponential;
             });
 
+        services.AddScoped<TokenService>();
+
         return services;
     }
 
     public static IServiceCollection AddLiteCharmsWebSecurity(this IServiceCollection services, IConfiguration configuration)
     {
+        var certString = configuration["DataProtection:Certificate"] ?? configuration["DataProtection__Certificate"];
+        var certPassword = configuration["DataProtection:Password"] ?? configuration["DataProtection__Password"];
+
+        if (string.IsNullOrEmpty(certString))
+            throw new InvalidOperationException("Data Protection Certificate configuration is missing.");
+
+        var certificate = X509CertificateLoader.LoadPkcs12(Convert.FromBase64String(certString), certPassword);
+
+        services.AddDataProtection().PersistKeysToDbContext<DataProtectionDbContext>()
+            .ProtectKeysWithCertificate(certificate)
+            .SetApplicationName("LiteCharmsApp");
+
+        services.Configure<DataProtectionOptions>(options => options.ApplicationDiscriminator = "LiteCharmsApp");
+
+        services.ConfigureCookieOidcSameSiteSupport();
+
         var configSection = configuration.GetSection(nameof(LiteCharmsSettings));
 
         var authOptions = new LiteCharmsSettings();
@@ -54,37 +82,48 @@ public static class Api
             options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
             options.DefaultChallengeScheme = OpenIdConnectDefaults.AuthenticationScheme;
         })
-        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme)
+        .AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options =>
+        {
+            options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.Cookie.SameSite = SameSiteMode.Lax;
+            options.Cookie.Name = "LiteCharmsApp.Session";
+        })
         .AddOpenIdConnect(OpenIdConnectDefaults.AuthenticationScheme, options =>
         {
             options.Authority = authOptions.Authority;
-
             options.ClientId = authOptions.ClientId;
             options.ClientSecret = authOptions.ClientSecret;
             options.ResponseType = "code";
-
+        
             options.SaveTokens = true;
-            options.GetClaimsFromUserInfoEndpoint = true;
+            options.GetClaimsFromUserInfoEndpoint = true;        
-
+            options.CorrelationCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.CorrelationCookie.SameSite = SameSiteMode.None;
+        
+            options.NonceCookie.SecurePolicy = CookieSecurePolicy.Always;
+            options.NonceCookie.SameSite = SameSiteMode.None;
+        
+            options.ForwardSignOut = CookieAuthenticationDefaults.AuthenticationScheme;
+        
             options.Scope.Clear();
             options.Scope.Add("openid");
             options.Scope.Add("profile");
             options.Scope.Add("email");
-
+        
             options.Events = new OpenIdConnectEvents
             {
                 OnRedirectToIdentityProviderForSignOut = context =>
                 {
                     var idToken = context.ProtocolMessage.IdTokenHint;
-
+        
                     if (string.IsNullOrEmpty(idToken))
                     {
                         var tokens = context.Properties.GetTokens();
                         var idTokenItem = tokens.FirstOrDefault(t => string.Equals(t.Name, "id_token", StringComparison.Ordinal));
-
+        
                         if (idTokenItem != null) context.ProtocolMessage.IdTokenHint = idTokenItem.Value;
                     }
-
+        
                     return Task.CompletedTask;
                 },
             };
@@ -95,6 +134,30 @@ public static class Api
         return services;
     }
 
+    private static void ConfigureCookieOidcSameSiteSupport(this IServiceCollection services) =>
+        services.Configure<CookiePolicyOptions>(options =>
+        {
+            options.MinimumSameSitePolicy = SameSiteMode.Unspecified;
+            options.OnAppendCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
+            options.OnDeleteCookie = cookieContext => CheckSameSite(cookieContext.Context, cookieContext.CookieOptions);
+        });
+
+    private static void CheckSameSite(HttpContext httpContext, CookieOptions options)
+    {
+        if (options.SameSite == SameSiteMode.None)
+        {
+            bool isSecure = httpContext.Request.IsHttps;
+
+            if (!isSecure && httpContext.Request.Headers.TryGetValue("X-Forwarded-Proto", out var proto))
+                isSecure = string.Equals(proto, "https", StringComparison.OrdinalIgnoreCase);
+
+            if (!isSecure && httpContext.Request.Headers.TryGetValue("Forwarded", out var forwarded))
+                isSecure = forwarded.ToString().Contains("proto=https", StringComparison.OrdinalIgnoreCase);
+                        
+            if (!isSecure) options.SameSite = SameSiteMode.Unspecified;
+        }
+    }
+
     public static IServiceCollection AddLiteCharmsApiSecurity(this IServiceCollection services, IConfiguration configuration)
     {
         var configSection = configuration.GetSection(nameof(LiteCharmsSettings));
@@ -132,17 +195,22 @@ public static class Api
             });
         });
 
-        app.MapGet("/logout", async (HttpContext context) =>
+        app.MapGet("/logout", async (HttpContext context, string? redirectUri = null) =>
         {
             var idToken = await context.GetTokenAsync("id_token");
 
-            var authProperties = new AuthenticationProperties { RedirectUri = "/", };
+            if (string.IsNullOrWhiteSpace(redirectUri))
+            {
+                var host = context.Request.Host.ToUriComponent();
+                redirectUri = $"https://{host}/";
+            }
 
-            if (!string.IsNullOrEmpty(idToken)) 
+            var authProperties = new AuthenticationProperties { RedirectUri = redirectUri, };
+
+            if (!string.IsNullOrEmpty(idToken))
                 authProperties.Parameters.Add("id_token_hint", idToken);
 
             await context.SignOutAsync(OpenIdConnectDefaults.AuthenticationScheme, authProperties);
-            await context.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);
         });
 
         return app;

LiteCharms.Features/Extensions/Postgres.cs

@@ -1,6 +1,19 @@
-namespace LiteCharms.Features.Extensions;
+using LiteCharms.Features.Postgres;
+
+namespace LiteCharms.Features.Extensions;
 
 public static class Postgres
 {
-    public const string SchedulerDbConfigName = "PostgresScheduler";    
+    public const string SchedulerDbConfigName = "PostgresScheduler";
+    public const string DataProtectionDbConfigName = "PostgresDataProtection";
+
+    public static IServiceCollection AddDataProtectionDatabase(this IServiceCollection services, IConfiguration configuration)
+    {
+        var connectionString = configuration.GetConnectionString(DataProtectionDbConfigName);        
+
+        services.AddPooledDbContextFactory<DataProtectionDbContext>(options =>
+            options.UseNpgsql(connectionString));
+
+        return services;
+    }
 }

LiteCharms.Features/LiteCharms.Features.csproj

@@ -79,7 +79,7 @@
   <!-- Quartz Scheduler-->
   <ItemGroup>    
     <PackageReference Include="Hashids.net" Version="1.7.0" />    
-    <PackageReference Include="Meziantou.Analyzer" Version="3.0.102">
+    <PackageReference Include="Meziantou.Analyzer" Version="3.0.103">
       <PrivateAssets>all</PrivateAssets>
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>    
@@ -153,9 +153,11 @@
       <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
     </PackageReference>
     <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.2" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.9" />
 
     <!-- Global Usings -->
     <Using Include="Npgsql" />
+    <Using Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" />
     <Using Include="Microsoft.EntityFrameworkCore" />
     <Using Include="Microsoft.EntityFrameworkCore.Design" />
     <Using Include="Microsoft.EntityFrameworkCore.Metadata.Builders" />
@@ -183,8 +185,8 @@
   
   <!-- Amazon S3 SDK -->
   <ItemGroup>
-    <PackageReference Include="AWSSDK.Extensions.NetCore.Setup" Version="4.0.4.6" />
+    <PackageReference Include="AWSSDK.Extensions.NetCore.Setup" Version="4.0.4.7" />
-    <PackageReference Include="AWSSDK.S3" Version="4.0.24.3" />
+    <PackageReference Include="AWSSDK.S3" Version="4.0.24.4" />
     
     <!-- global Usings -->
     <Using Include="Amazon.S3" />
@@ -194,6 +196,8 @@
 
   <!-- Shared Usings -->
   <ItemGroup>
+    <Using Include="Microsoft.AspNetCore.DataProtection" />
+    <Using Include="System.Security.Cryptography.X509Certificates" />
     <Using Include="Microsoft.AspNetCore.Components.Server.ProtectedBrowserStorage" />
     <Using Include="System.Text.Json.Serialization" />
     <Using Include="System.Reflection" />

LiteCharms.Features/Postgres/DataProtectionDbContext.cs

@@ -0,0 +1,13 @@
+namespace LiteCharms.Features.Postgres;
+
+public class DataProtectionDbContext(DbContextOptions<DataProtectionDbContext> options) : DbContext(options), IDataProtectionKeyContext
+{
+    public DbSet<DataProtectionKey> DataProtectionKeys { get; set; }
+
+    protected override void OnModelCreating(ModelBuilder modelBuilder)
+    {
+        base.OnModelCreating(modelBuilder);
+
+        modelBuilder.Entity<DataProtectionKey>(entity => entity.ToTable(nameof(DataProtectionKeys), schema: "security"));
+    }
+}

LiteCharms.Features/Postgres/DataProtectionDbContextFactory.cs

@@ -0,0 +1,20 @@
+using static LiteCharms.Features.Extensions.Postgres;
+
+namespace LiteCharms.Features.Postgres;
+
+public class DataProtectionDbContextFactory : IDesignTimeDbContextFactory<DataProtectionDbContext>
+{
+    public DataProtectionDbContext CreateDbContext(string[] args)
+    {
+        var configuration = new ConfigurationBuilder()
+            .SetBasePath(Directory.GetCurrentDirectory())
+            .AddUserSecrets(typeof(DataProtectionDbContext).Assembly)
+            .AddEnvironmentVariables()
+            .Build();
+
+        var optionsBuilder = new DbContextOptionsBuilder<DataProtectionDbContext>();
+        optionsBuilder.UseNpgsql(configuration.GetConnectionString(DataProtectionDbConfigName));
+
+        return new DataProtectionDbContext(optionsBuilder.Options);
+    }
+}

LiteCharms.Features/Postgres/Migrations/20260614075149_Init.Designer.cs

@@ -0,0 +1,48 @@
+// <auto-generated />
+using LiteCharms.Features.Postgres;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Migrations;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace LiteCharms.Features.Postgres.Migrations
+{
+    [DbContext(typeof(DataProtectionDbContext))]
+    [Migration("20260614075149_Init")]
+    partial class Init
+    {
+        /// <inheritdoc />
+        protected override void BuildTargetModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "10.0.9")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys", "security");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

LiteCharms.Features/Postgres/Migrations/20260614075149_Init.cs

@@ -0,0 +1,41 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace LiteCharms.Features.Postgres.Migrations
+{
+    /// <inheritdoc />
+    public partial class Init : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.EnsureSchema(
+                name: "security");
+
+            migrationBuilder.CreateTable(
+                name: "DataProtectionKeys",
+                schema: "security",
+                columns: table => new
+                {
+                    Id = table.Column<int>(type: "integer", nullable: false)
+                        .Annotation("Npgsql:ValueGenerationStrategy", NpgsqlValueGenerationStrategy.IdentityByDefaultColumn),
+                    FriendlyName = table.Column<string>(type: "text", nullable: true),
+                    Xml = table.Column<string>(type: "text", nullable: true)
+                },
+                constraints: table =>
+                {
+                    table.PrimaryKey("PK_DataProtectionKeys", x => x.Id);
+                });
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DropTable(
+                name: "DataProtectionKeys",
+                schema: "security");
+        }
+    }
+}

LiteCharms.Features/Postgres/Migrations/DataProtectionDbContextModelSnapshot.cs

@@ -0,0 +1,45 @@
+// <auto-generated />
+using LiteCharms.Features.Postgres;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Infrastructure;
+using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
+using Npgsql.EntityFrameworkCore.PostgreSQL.Metadata;
+
+#nullable disable
+
+namespace LiteCharms.Features.Postgres.Migrations
+{
+    [DbContext(typeof(DataProtectionDbContext))]
+    partial class DataProtectionDbContextModelSnapshot : ModelSnapshot
+    {
+        protected override void BuildModel(ModelBuilder modelBuilder)
+        {
+#pragma warning disable 612, 618
+            modelBuilder
+                .HasAnnotation("ProductVersion", "10.0.9")
+                .HasAnnotation("Relational:MaxIdentifierLength", 63);
+
+            NpgsqlModelBuilderExtensions.UseIdentityByDefaultColumns(modelBuilder);
+
+            modelBuilder.Entity("Microsoft.AspNetCore.DataProtection.EntityFrameworkCore.DataProtectionKey", b =>
+                {
+                    b.Property<int>("Id")
+                        .ValueGeneratedOnAdd()
+                        .HasColumnType("integer");
+
+                    NpgsqlPropertyBuilderExtensions.UseIdentityByDefaultColumn(b.Property<int>("Id"));
+
+                    b.Property<string>("FriendlyName")
+                        .HasColumnType("text");
+
+                    b.Property<string>("Xml")
+                        .HasColumnType("text");
+
+                    b.HasKey("Id");
+
+                    b.ToTable("DataProtectionKeys", "security");
+                });
+#pragma warning restore 612, 618
+        }
+    }
+}

LiteCharms.Infrastructure/LiteCharms.Infrastructure.csproj

@@ -0,0 +1,104 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <UserSecretsId>7770ab3b-72ee-4897-8e06-57d6613e050a</UserSecretsId>
+    <SignAssembly>True</SignAssembly>
+    <AssemblyOriginatorKeyFile>..\LiteCharms.snk</AssemblyOriginatorKeyFile>
+  </PropertyGroup>
+
+  <!-- Nuget Package Details -->
+  <PropertyGroup>
+    <PackageId>LiteCharms.Infrastructure</PackageId>
+    <Version>1.0.20</Version>
+    <Authors>Khwezi Mngoma</Authors>
+    <Company>Lite Charms (PTY) Ltd</Company>
+    <Description>Infrastructure components for Lite Charms applications.</Description>
+    <PackageProjectUrl>https://gitea.khongisa.co.za/litecharms/components</PackageProjectUrl>
+    <RepositoryUrl>https://gitea.khongisa.co.za/litecharms/components.git</RepositoryUrl>
+    <RepositoryType>git</RepositoryType>
+    <PackageLicenseFile>LICENSE</PackageLicenseFile>
+    <PackageIcon>icon.png</PackageIcon>
+  </PropertyGroup>
+
+  <ItemGroup>
+    <None Include="..\LICENSE" Pack="true" PackagePath="\" />
+    <None Include="..\icon.png" Pack="true" PackagePath="\" />
+  </ItemGroup>
+
+  <!-- Quartz Scheduler-->
+  <ItemGroup>        
+    <PackageReference Include="Quartz" Version="3.18.1" />    
+    <PackageReference Include="Quartz.Plugins" Version="3.18.1" />
+    <PackageReference Include="Quartz.Plugins.TimeZoneConverter" Version="3.18.1" />
+    <PackageReference Include="Quartz.Serialization.SystemTextJson" Version="3.18.1" />
+
+    <!-- Global Usings -->
+    <Using Include="Quartz" />
+    <Using Include="Mediator" />
+    <Using Include="FluentResults" />
+  </ItemGroup>
+
+  <!-- Configuration -->
+  <ItemGroup>
+    <PackageReference Include="Microsoft.Extensions.Configuration" Version="10.0.7" />    
+    <PackageReference Include="Microsoft.Extensions.Configuration.Abstractions" Version="10.0.7" />    
+    <PackageReference Include="Microsoft.Extensions.Configuration.EnvironmentVariables" Version="10.0.7" />    
+    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="10.0.7" />    
+    <PackageReference Include="Microsoft.Extensions.Configuration.UserSecrets" Version="10.0.7" />
+    
+    <!-- Global Usings -->
+    <Using Include="Microsoft.Extensions.Configuration" />
+  </ItemGroup>
+  
+  <!-- Health Checks -->
+  <ItemGroup>    
+    <PackageReference Include="Microsoft.Extensions.Diagnostics.HealthChecks" Version="10.0.7" />
+    
+    <!-- Global Usings -->
+    <Using Include="Microsoft.Extensions.Diagnostics.HealthChecks" />
+  </ItemGroup>
+
+  <!-- Database -->
+  <ItemGroup>
+    <PackageReference Include="Microsoft.EntityFrameworkCore" Version="10.0.7" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Design" Version="10.0.7">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Relational" Version="10.0.7" />
+    <PackageReference Include="Microsoft.EntityFrameworkCore.Tools" Version="10.0.7">
+      <PrivateAssets>all</PrivateAssets>
+      <IncludeAssets>runtime; build; native; contentfiles; analyzers; buildtransitive</IncludeAssets>
+    </PackageReference>
+    <PackageReference Include="Npgsql.EntityFrameworkCore.PostgreSQL" Version="10.0.1" />
+
+    <!-- Global Usings -->
+    <Using Include="Npgsql" />
+    <Using Include="Microsoft.EntityFrameworkCore" />
+    <Using Include="Microsoft.EntityFrameworkCore.Design" />
+    <Using Include="Microsoft.EntityFrameworkCore.Metadata.Builders" />
+  </ItemGroup>
+
+  <!-- Project References -->
+  <ItemGroup>
+    <ProjectReference Include="..\LiteCharms.Abstractions\LiteCharms.Abstractions.csproj" />
+    <ProjectReference Include="..\LiteCharms.Entities\LiteCharms.Entities.csproj" />
+    <ProjectReference Include="..\LiteCharms.Models\LiteCharms.Models.csproj" />
+  </ItemGroup>
+
+  <!-- Global Usings -->
+  <ItemGroup>
+    <Using Include="System.Text.Json" />
+    <Using Include="Microsoft.Extensions.Hosting" />
+  </ItemGroup>
+  
+  <ItemGroup>
+    <None Update="appsettings.json">
+      <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+    </None>
+  </ItemGroup>
+
+</Project>

LiteCharms.Models/LiteCharms.Models.csproj

@@ -0,0 +1,35 @@
+<Project Sdk="Microsoft.NET.Sdk">
+
+  <PropertyGroup>
+    <TargetFramework>net10.0</TargetFramework>
+    <ImplicitUsings>enable</ImplicitUsings>
+    <Nullable>enable</Nullable>
+    <SignAssembly>True</SignAssembly>
+    <AssemblyOriginatorKeyFile>..\LiteCharms.snk</AssemblyOriginatorKeyFile>
+  </PropertyGroup>
+
+  <!-- Nuget Package Details -->
+  <PropertyGroup>
+    <PackageId>LiteCharms.Models</PackageId>
+    <Version>1.0.20</Version>
+    <Authors>Khwezi Mngoma</Authors>
+    <Company>Lite Charms (PTY) Ltd</Company>
+    <Description>Shared models for Lite Charms applications.</Description>
+    <PackageProjectUrl>https://gitea.khongisa.co.za/litecharms/components</PackageProjectUrl>
+    <RepositoryUrl>https://gitea.khongisa.co.za/litecharms/components.git</RepositoryUrl>
+    <RepositoryType>git</RepositoryType>
+    <PackageLicenseFile>LICENSE</PackageLicenseFile>
+    <PackageTags>utility;dotnet</PackageTags>
+    <PackageIcon>icon.png</PackageIcon>
+  </PropertyGroup>
+
+  <!-- Global Usings -->
+  <ItemGroup>
+    <Using Include="System.ComponentModel.DataAnnotations"/>
+  </ItemGroup>
+
+  <ItemGroup>
+    <None Include="..\LICENSE" Pack="true" PackagePath="\" />
+    <None Include="..\icon.png" Pack="true" PackagePath="\" />
+  </ItemGroup>
+</Project>