Merge pull request 'Updated nuget packages' (#28) from payments into master

Reviewed-on: #28

MidrandBooksApi/MidrandBooksApi.csproj

@@ -14,8 +14,8 @@
     <PackageReference Include="IdentityModel.AspNetCore.OAuth2introspection" Version="6.2.0" />
     <PackageReference Include="IdentityServer4.AccessTokenValidation" Version="3.0.1" />
     <PackageReference Include="IdentityModel" Version="6.2.0" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" Version="10.0.8" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.8" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.Certificate" Version="10.0.9" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.9" />
   </ItemGroup>
   
   <!-- Health Checks -->
@@ -39,8 +39,8 @@
   
   <!-- API Documentation -->
   <ItemGroup>    
-    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.8" />    
-    <PackageReference Include="Scalar.AspNetCore" Version="2.14.14" />
+    <PackageReference Include="Microsoft.AspNetCore.OpenApi" Version="10.0.9" />    
+    <PackageReference Include="Scalar.AspNetCore" Version="2.16.3" />
 
     <Using Include="Scalar.AspNetCore" />
     <Using Include="Microsoft.OpenApi" />
@@ -54,13 +54,13 @@
   </ItemGroup>
 
   <ItemGroup>
-    <PackageReference Include="LiteCharms.Features" Version="1.77.0" />
+    <PackageReference Include="LiteCharms.Features" Version="1.123.0" />
   </ItemGroup>
 
   <!-- UI -->
   <ItemGroup>
     <PackageReference Include="ANM.Blazored.Toast" Version="0.1.1" />
-    <PackageReference Include="LiteCharms.Features.MidrandBooks" Version="1.77.0" />
+    <PackageReference Include="LiteCharms.Features.MidrandBooks" Version="1.123.0" />
 
     <!-- Global Usings -->
     <Using Include="Blazored.Toast.Services" />
@@ -89,6 +89,8 @@
     <Using Include="System.Web" />
     <Using Include="System.Diagnostics" />
     <Using Include="System.Reflection" />
+    <Using Include="Microsoft.AspNetCore.Mvc" />
+    <Using Include="System.ComponentModel.DataAnnotations" />
     <Using Include="Microsoft.Extensions.DependencyInjection.Extensions" />
   </ItemGroup>
 

MidrandBooksApi/Payments/Endpoints/IdentityEndpoint.cs

@@ -1,23 +0,0 @@
-using LiteCharms.Features.Abstractions;
-using LiteCharms.Features.Api;
-using LiteCharms.Features.Extensions;
-
-namespace MidrandBooksApi.Payments.Endpoints;
-
-[ApiVersionTarget(1)]
-public class IdentityEndpoint : IEndpoint
-{
-    public void Map(IEndpointRouteBuilder builder)
-    {
-        builder.MapGet("security/test", () =>
-        {
-            return Results.Ok();
-        })
-        .RequireAuthorization()
-        .WithDescription("Security test endpoint")
-        .WithName(typeof(IdentityEndpoint).ToEndpointName())
-        .Produces(StatusCodes.Status200OK)
-        .WithTags("Security")
-        .MapToApiVersion(1);
-    }
-}

MidrandBooksApi/Payments/Payfast/PayfastConfirmationEndpoint.cs

@@ -6,28 +6,23 @@ using LiteCharms.Features.MidrandBooks.Payments.Events;
 using LiteCharms.Features.MidrandBooks.Payments.Models;
 using static LiteCharms.Features.Extensions.Api;
 
-namespace MidrandBooksApi.Payments.Endpoints;
+namespace MidrandBooksApi.Payments.Payfast;
 
 [ApiVersionTarget(1)]
-public sealed class ConfirmationEndpoint : IEndpoint
+public sealed class PayfastConfirmationEndpoint : IEndpoint
 {
     private static readonly ActivitySource PaymentActivitySource = new("MidrandBooksApi.Payments");
 
     public void Map(IEndpointRouteBuilder builder)
     {
         builder.MapPost("payments/payfast/confirm", async (HttpRequest request, PayfastService payfastService,
-            IJobOrchestrator jobOrchestrator, IConfiguration configuration, IHostEnvironment hostEnvironment, CancellationToken cancellationToken) =>
+            IJobOrchestrator jobOrchestrator, IConfiguration configuration, IHostEnvironment hostEnvironment,
+            ILogger<PayfastConfirmationEndpoint> logger, CancellationToken cancellationToken) =>
         {
             using Activity? activity = PaymentActivitySource.StartActivity("ReceivePayfastWebhook", ActivityKind.Server);
 
             activity?.SetTag("messaging.system", "payfast");
-            activity?.SetTag("messaging.destination.name", "payments/confirm");
-
-            string? remoteIp = request.HttpContext.Connection.RemoteIpAddress?.ToString();
-
-            var ipValidation = await payfastService.ValidateReferrerIpAsync(remoteIp!, !hostEnvironment.IsProduction(), cancellationToken);
-
-            if (ipValidation.IsFailed || !ipValidation.Value) return Results.Unauthorized();
+            activity?.SetTag("messaging.destination.name", "payments/payfast/confirm");
 
             var formCollection = await request.ReadFormAsync(cancellationToken);
 
@@ -37,36 +32,42 @@ public sealed class ConfirmationEndpoint : IEndpoint
             string incomingSignature = signatureValues.ToString().Trim();
             var payload = ParseForm(formCollection, incomingSignature);
 
-            var paramDictionary = payload.ToParamDictionary();
-            string? passphrase = configuration["HasherSettings:PayfastPassphrase"];
+            string? passphrase = configuration["PayfastSettings:Passphrase"];
 
-            var signatureCheck = PayfastService.GenerateSignature(paramDictionary, passphrase);
+            if (!PayfastService.VerifyIncomingSignatureFromForm(formCollection, passphrase!))
+            {
+                logger.LogCritical($"Incoming signature failed validation: {incomingSignature}");
 
-            if (signatureCheck.IsFailed || !string.Equals(signatureCheck.Value, incomingSignature, StringComparison.OrdinalIgnoreCase))
                 return Results.Unauthorized();
+            }
 
-            var formPairs = formCollection.Select(kvp => $"{kvp.Key}={HttpUtility.UrlEncode(kvp.Value.ToString())}");
+            var sortedPairs = formCollection
+                .Where(kvp => !kvp.Key.Equals("signature", StringComparison.OrdinalIgnoreCase))
+                .OrderBy(kvp => kvp.Key, StringComparer.Ordinal)
+                .Select(kvp => $"{kvp.Key}={HttpUtility.UrlEncode(kvp.Value.ToString().Trim())}");
 
-            string rawQueryParamString = string.Join("&", formPairs);
+            string rawQueryParamString = string.Join("&", sortedPairs);
 
             bool isSandbox = !hostEnvironment.IsProduction();
-
             var serverConfirmation = await payfastService.ValidateServerConfirmationAsync(rawQueryParamString, isSandbox, cancellationToken);
 
             if (serverConfirmation.IsFailed || !serverConfirmation.Value)
+            {
+                logger.LogCritical($"Payfast server validation ping rejected the request data: {rawQueryParamString}");
+
                 return Results.Unauthorized();
+            }
 
             var notification = PayfastPaymentConfirmationReceivedEvent.Create(payload, payload.MerchantPaymentId!,
-                allowLoopback: !hostEnvironment.IsProduction(), performBackgroundChecks: false); // Set to false because comprehensive checks are completed inline above
+                allowLoopback: !hostEnvironment.IsProduction(), performBackgroundChecks: false);
 
             await jobOrchestrator.SendAsync(notification, cancellationToken);
 
             activity?.SetStatus(ActivityStatusCode.Ok);
-
             return Results.Ok();
         })
         .WithDescription("Securely confirm and process an incoming Payfast merchant payment callback.")
-        .WithName(typeof(ConfirmationEndpoint).ToEndpointName())
+        .WithName(typeof(PayfastConfirmationEndpoint).ToEndpointName())
         .MapToApiVersion(new ApiVersion(1))
         .Produces(StatusCodes.Status200OK)
         .Produces(StatusCodes.Status400BadRequest)

MidrandBooksApi/Program.cs

@@ -12,7 +12,7 @@ builder.Services.AddEndpoints(Assembly.GetExecutingAssembly());
 builder.Services.AddApiServices(builder.Configuration);
 
 builder.Services.AddMediator();
-builder.Services.AddAuthentic(builder.Configuration);
+builder.Services.AddLiteCharmsApiSecurity(builder.Configuration);
 
 builder.Services.AddScoped(typeof(IPipelineBehavior<,>), typeof(TelemetryPipelineBehavior<,>));
 builder.Services.AddScoped(typeof(IPipelineBehavior<,>), typeof(LoggingPipelineBehavior<,>));
@@ -22,7 +22,9 @@ builder.Services.AddQuartzSchedulerClient(MidrandShopSchedulerName, builder.Conf
 builder.Services.AddEmailServices(builder.Configuration);
 builder.Services.AddEmailServiceBus();
 
+builder.Services.AddHttpClient();
 builder.Services.AddShopServices();
+builder.Services.AddPayfastServices(builder.Configuration);
 builder.Services.AddHashServices(builder.Configuration);
 builder.Services.AddMidrandShopDatabase(builder.Configuration);
 

MidrandBooksApi/appsettings.json

@@ -1,20 +1,20 @@
 {
-  "AuthentikSettings": {
-    "Authority": "https://id.khongisa.co.za/application/o/midrand-books-api-uat/",
-    "IntrospectionUrl": "https://id.khongisa.co.za/application/o/introspect/",
-    "RequiredClaimName": "scope",
-    "RequiredClaimNameValue": "openid",
-    "RequireHttpsMetadata": true
+  "PayfastSettings": {
+    "CheckoutUrl": "https://sandbox.payfast.co.za/eng/process",
+    "ValidHosts": [
+      "www.payfast.co.za",
+      "sandbox.payfast.co.za",
+      "w1w.payfast.co.za",
+      "w2w.payfast.co.za",
+      "ips.payfast.co.za",
+      "api.payfast.co.za",
+      "payment.payfast.io"
+    ]
+  },
+  "LiteCharmsSettings": {
+    "Authority": "https://sts.security.khongisa.co.za",
+    "Audience": "midrandbooks-api"
   },
-  "ValidPayfastHosts": [
-    "www.payfast.co.za",
-    "sandbox.payfast.co.za",
-    "w1w.payfast.co.za",
-    "w2w.payfast.co.za",
-    "ips.payfast.co.za",
-    "api.payfast.co.za",
-    "payment.payfast.io"
-  ],
   "HasherSettings": {
     "MinHashLength": 11
   },
@@ -25,7 +25,6 @@
     "CdnBaseUrl": "https://bookshop.cdn.khongisa.co.za"
   },
   "Monitoring": {
-    "ApiKey": "",
     "Address": "http://aspire-dashboard-service.aspire.svc.cluster.local:18889",
     "ServiceName": "MidrandBooks.DEV"
   },

midrandbooksapi-uat.yml

@@ -19,18 +19,14 @@ data:
   BookshopS3Settings__Region: "garage"
   BookshopS3Settings__BucketName: "bookshop"
   BookshopS3Settings__CdnBaseUrl: "https://bookshop.cdn.khongisa.co.za"
-  ValidPayfastHosts__0: "www.payfast.co.za"
-  ValidPayfastHosts__1: "sandbox.payfast.co.za"
-  ValidPayfastHosts__2: "w1w.payfast.co.za"
-  ValidPayfastHosts__3: "w2w.payfast.co.za"
-  ValidPayfastHosts__4: "ips.payfast.co.za"
-  ValidPayfastHosts__5: "api.payfast.co.za"
-  ValidPayfastHosts__6: "payment.payfast.io"
-  AuthentikSettings__Authority: "https://id.khongisa.co.za/application/o/midrand-books-api-uat/"
-  AuthentikSettings__IntrospectionUrl: "https://id.khongisa.co.za/application/o/introspect/"
-  AuthentikSettings__RequiredClaimName: "scope"
-  AuthentikSettings__RequiredClaimNameValue: "openid"
-  AuthentikSettings__RequireHttpsMetadata: "true"
+  PayfastSettings__CheckoutUrl: "https://sandbox.payfast.co.za/eng/process"
+  PayfastSettings__ValidHosts__0: "www.payfast.co.za"
+  PayfastSettings__ValidHosts__1: "sandbox.payfast.co.za"
+  PayfastSettings__ValidHosts__2: "ips.payfast.co.za"
+  PayfastSettings__ValidHosts__3: "api.payfast.co.za"
+  PayfastSettings__ValidHosts__4: "payment.payfast.io"
+  LiteCharmsSettings__Authority: "https://sts.security.khongisa.co.za"
+  LiteCharmsSettings__Audience: "midrandbooks-api"
 ---
 apiVersion: v1
 kind: Secret
@@ -42,12 +38,14 @@ data:
   connection-string: SG9zdD0xOTIuMTY4LjEuMTcwO0RhdGFiYXNlPW1pZHJhbmRzaG9wLWRldjtVc2VybmFtZT1taWRyYW5kc2hvcC1kZXYtdXNlcjtQYXNzd29yZD1hUFh5a0tnM3RTOWNtRDtQZXJzaXN0IFNlY3VyaXR5IEluZm89VHJ1ZQ==
   connection-string-quartz: SG9zdD0xOTIuMTY4LjEuMTcwO0RhdGFiYXNlPXNjaGVkdWxlci1kZXY7VXNlcm5hbWU9c2NoZWR1bGVyLWRldi11c2VyO1Bhc3N3b3JkPWtWVm1vV0tKM3h6Z1FYO1BlcnNpc3QgU2VjdXJpdHkgSW5mbz1UcnVl
   aspire-apikey: bWMzRzYzSzJqNVpPRXNpMEFqTW9qTFRYbTFLRVpGY3R6SUlqU3dEaVRHdXQ4cUdTa1B1V3d4R1AxUmJzY0pVbw==
-  hasher-salt: VEdsbmFIUWdRMmhoY20xekxDQk5hV1J5WVc1a1FtOXZhM01nYldGclpTQnNiM1J6SUc5bUlHMXZibVY1SUdGdVpDQmhjbVVnWVNCemRXTmpaWE56Wm5Wc0lIWnBjbUZzSUhOMGIzSjVJR2x1SUZOdmRYUm9JRUZtY21sallRPT0=
-  hasher-payfastpassphrase: OUdBSVIwdFdwaFgwcU8=
+  hasher-salt: VEdsbmFIUWdRMmhoY20xekxDQk5hV1J5WVc1a1FtOXZhM01nYldGclpTQnNiM1J6SUc5bUlHMXZibVY1SUdGdVpDQmhjbVVnWVNCemRXTmpaWE56Wm5Wc0lIWnBjbUZzSUhOMGIzSjVJR2x1SUZOdmRYUm9JRUZtY21sallRPT0=  
   bookshop-s3-accesskey: R0s1MTRkMmNlOGRjNjkyMzdhMDVjMDFlZWY=
   bookshop-s3-secretkey: ZWFhZmVkYTFhZWQ0MDllY2ZlNjA3MTRlY2RhNTQ5YjgyYmRmNWEzZGFmOWYxOGRkNjFmNjZiNDk3M2E2NDgyZQ==
-  authentik-clientid: aTZ5Z3I4NEhsbmh4RllxTEpWSjJIaGRsVnJPWUU0UG51clQ1Y1BRVw==
-  authentik-clientsecret: dHZQVU0zVnFmazJzcmE5OXM5bE4zWWxpMHlsYUdUNnZiUUJxZkg3S3ZTSWJUZUo2ZFpHQjEyTlc0TXhxRERXSmV4UDd2WGZqVEFadFIzajNpdkQ2Y1RKcjV4UTlTNHJwRm5TZlk0Rmk2OVJOd1J2S0hqOGhWcmQzd29icTZPREc=
+  litecharms-clientid: bWlkcmFuZGJvb2tzLWFwaQ==
+  litecharms-clientsecret: c2VjcmV0X2YzZjA0YWNhYTMzNmVlOTEzZDRjNjdlYmQwOTE1ZWFlYzQ0NzdmYTkwOTdlYTJhYzkyZGE4ZDc0NjgzZTAyNTU=
+  payfast-passphrase: OUdBSVIwdFdwaFgwcU8=
+  payfast-merchantid: MTAwNDkzMDc=
+  payfast-merchantkey: anU2bmF2bjBqY2JmMA==
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -100,16 +98,16 @@ spec:
             - configMapRef:
                 name: midrandbooksapi-config
           env:
-            - name: AuthentikSettings__ApiResourceName
+            - name: LiteCharmsSettings__ClientId
               valueFrom:
                 secretKeyRef:
                   name: midrandbooksapi-secrets
-                  key: authentik-clientid
-            - name: AuthentikSettings__ApiResourceSecret
+                  key: litecharms-clientid
+            - name: LiteCharmsSettings__ClientSecret
               valueFrom:
                 secretKeyRef:
                   name: midrandbooksapi-secrets
-                  key: authentik-clientsecret
+                  key: litecharms-clientsecret
             - name: BookshopS3Settings__AccessKey
               valueFrom:
                 secretKeyRef:
@@ -125,11 +123,21 @@ spec:
                 secretKeyRef:
                   name: midrandbooksapi-secrets
                   key: hasher-salt
-            - name: HasherSettings__PayfastPassphrase
+            - name: PayfastSettings__Passphrase
               valueFrom:
                 secretKeyRef:
                   name: midrandbooksapi-secrets
-                  key: hasher-payfastpassphrase
+                  key: payfast-passphrase
+            - name: PayfastSettings__MerchantId
+              valueFrom:
+                secretKeyRef:
+                  name: midrandbooksapi-secrets
+                  key: payfast-merchantid
+            - name: PayfastSettings__MerchantKey
+              valueFrom:
+                secretKeyRef:
+                  name: midrandbooksapi-secrets
+                  key: payfast-merchantkey
             - name: ConnectionStrings__PostgresScheduler
               valueFrom:
                 secretKeyRef:
@@ -153,8 +161,8 @@ spec:
             httpGet:
               path: /health
               port: 8080
-            initialDelaySeconds: 5
-            periodSeconds: 10
+            initialDelaySeconds: 10
+            periodSeconds: 15
           readinessProbe:
             httpGet:
               path: /health