2026-01-08 03:59:56 +00:00
|
|
|
using Adapters.Driven.Persistence;
|
|
|
|
|
using Adapters.Driven.Persistence.Context;
|
|
|
|
|
using Adapters.Driving.Api.Extensions;
|
|
|
|
|
using Application;
|
2026-01-08 14:14:42 +00:00
|
|
|
using Application.Auth;
|
2026-01-08 03:59:56 +00:00
|
|
|
using dotenv.net;
|
2026-01-08 14:14:42 +00:00
|
|
|
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
2026-01-08 03:59:56 +00:00
|
|
|
using Microsoft.AspNetCore.Diagnostics.HealthChecks;
|
|
|
|
|
using Microsoft.AspNetCore.RateLimiting;
|
|
|
|
|
using Microsoft.AspNetCore.ResponseCompression;
|
|
|
|
|
using Microsoft.EntityFrameworkCore;
|
|
|
|
|
using Microsoft.Extensions.Diagnostics.HealthChecks;
|
2026-01-08 14:14:42 +00:00
|
|
|
using Microsoft.IdentityModel.Tokens;
|
2026-01-08 03:59:56 +00:00
|
|
|
using Serilog;
|
|
|
|
|
using System.IO.Compression;
|
2026-01-08 14:14:42 +00:00
|
|
|
using System.Text;
|
2026-01-08 03:59:56 +00:00
|
|
|
using System.Text.Json;
|
|
|
|
|
using System.Threading.RateLimiting;
|
|
|
|
|
|
|
|
|
|
// Load .env file (searches up to root directory)
|
|
|
|
|
DotEnv.Load(options: new DotEnvOptions(
|
|
|
|
|
probeForEnv: true,
|
|
|
|
|
probeLevelsToSearch: 5
|
|
|
|
|
));
|
|
|
|
|
|
|
|
|
|
// Configure Serilog from appsettings + environment variables
|
|
|
|
|
Log.Logger = new LoggerConfiguration()
|
|
|
|
|
.ReadFrom.Configuration(new ConfigurationBuilder()
|
|
|
|
|
.AddJsonFile("appsettings.json")
|
|
|
|
|
.AddJsonFile($"appsettings.{Environment.GetEnvironmentVariable("ASPNETCORE_ENVIRONMENT") ?? "Production"}.json", optional: true)
|
|
|
|
|
.AddEnvironmentVariables()
|
|
|
|
|
.Build())
|
|
|
|
|
.CreateLogger();
|
|
|
|
|
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
Log.Information("Starting application");
|
|
|
|
|
|
|
|
|
|
var builder = WebApplication.CreateBuilder(args);
|
|
|
|
|
|
|
|
|
|
// Add environment variables to configuration
|
|
|
|
|
builder.Configuration.AddEnvironmentVariables();
|
|
|
|
|
|
|
|
|
|
// Build connection string from individual env vars if not provided directly
|
|
|
|
|
var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
|
|
|
|
|
if (string.IsNullOrEmpty(connectionString))
|
|
|
|
|
{
|
|
|
|
|
var dbHost = Environment.GetEnvironmentVariable("DB_HOST") ?? "localhost";
|
|
|
|
|
var dbPort = Environment.GetEnvironmentVariable("DB_PORT") ?? "1433";
|
|
|
|
|
var dbName = Environment.GetEnvironmentVariable("DB_NAME") ?? "StudentEnrollment";
|
|
|
|
|
var dbUser = Environment.GetEnvironmentVariable("DB_USER") ?? "sa";
|
|
|
|
|
var dbPassword = Environment.GetEnvironmentVariable("DB_PASSWORD") ?? "";
|
|
|
|
|
|
|
|
|
|
connectionString = $"Server={dbHost},{dbPort};Database={dbName};User Id={dbUser};Password={dbPassword};TrustServerCertificate=True";
|
|
|
|
|
builder.Configuration["ConnectionStrings:DefaultConnection"] = connectionString;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
builder.Host.UseSerilog();
|
|
|
|
|
|
|
|
|
|
// Add services
|
|
|
|
|
builder.Services.AddApplication();
|
|
|
|
|
builder.Services.AddPersistence(builder.Configuration);
|
|
|
|
|
builder.Services.AddGraphQLApi();
|
|
|
|
|
|
|
|
|
|
// Response Compression (Brotli preferred, then Gzip)
|
|
|
|
|
builder.Services.AddResponseCompression(options =>
|
|
|
|
|
{
|
|
|
|
|
options.EnableForHttps = true;
|
|
|
|
|
options.Providers.Add<BrotliCompressionProvider>();
|
|
|
|
|
options.Providers.Add<GzipCompressionProvider>();
|
|
|
|
|
options.MimeTypes = ResponseCompressionDefaults.MimeTypes.Concat(
|
|
|
|
|
["application/json", "application/graphql-response+json"]);
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
builder.Services.Configure<BrotliCompressionProviderOptions>(options =>
|
|
|
|
|
options.Level = CompressionLevel.Fastest);
|
|
|
|
|
|
|
|
|
|
builder.Services.Configure<GzipCompressionProviderOptions>(options =>
|
|
|
|
|
options.Level = CompressionLevel.Fastest);
|
|
|
|
|
|
|
|
|
|
// CORS (configurable via CORS_ORIGINS env var, comma-separated)
|
|
|
|
|
var corsOrigins = Environment.GetEnvironmentVariable("CORS_ORIGINS")?.Split(',', StringSplitOptions.RemoveEmptyEntries)
|
|
|
|
|
?? ["http://localhost:4200"];
|
|
|
|
|
builder.Services.AddCors(options =>
|
|
|
|
|
{
|
|
|
|
|
options.AddDefaultPolicy(policy =>
|
|
|
|
|
policy.WithOrigins(corsOrigins)
|
|
|
|
|
.AllowAnyHeader()
|
2026-01-08 14:14:42 +00:00
|
|
|
.AllowAnyMethod()
|
|
|
|
|
.AllowCredentials());
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// JWT Authentication
|
|
|
|
|
var jwtSecretKey = Environment.GetEnvironmentVariable("JWT_SECRET_KEY")
|
|
|
|
|
?? "SuperSecretKeyForDevelopmentOnly_ChangeInProduction_AtLeast32Chars!";
|
|
|
|
|
builder.Services.Configure<JwtOptions>(opt =>
|
|
|
|
|
{
|
|
|
|
|
opt.SecretKey = jwtSecretKey;
|
|
|
|
|
opt.Issuer = Environment.GetEnvironmentVariable("JWT_ISSUER") ?? "StudentEnrollmentApi";
|
|
|
|
|
opt.Audience = Environment.GetEnvironmentVariable("JWT_AUDIENCE") ?? "StudentEnrollmentApp";
|
|
|
|
|
opt.ExpirationMinutes = int.TryParse(Environment.GetEnvironmentVariable("JWT_EXPIRATION_MINUTES"), out var exp) ? exp : 60;
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
|
|
|
|
|
.AddJwtBearer(options =>
|
|
|
|
|
{
|
|
|
|
|
options.TokenValidationParameters = new TokenValidationParameters
|
|
|
|
|
{
|
|
|
|
|
ValidateIssuer = true,
|
|
|
|
|
ValidateAudience = true,
|
|
|
|
|
ValidateLifetime = true,
|
|
|
|
|
ValidateIssuerSigningKey = true,
|
|
|
|
|
ValidIssuer = Environment.GetEnvironmentVariable("JWT_ISSUER") ?? "StudentEnrollmentApi",
|
|
|
|
|
ValidAudience = Environment.GetEnvironmentVariable("JWT_AUDIENCE") ?? "StudentEnrollmentApp",
|
|
|
|
|
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(jwtSecretKey))
|
|
|
|
|
};
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
builder.Services.AddAuthorization(options =>
|
|
|
|
|
{
|
|
|
|
|
options.AddPolicy("AdminOnly", policy => policy.RequireRole("Admin"));
|
|
|
|
|
options.AddPolicy("StudentOrAdmin", policy => policy.RequireRole("Student", "Admin"));
|
2026-01-08 03:59:56 +00:00
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Output caching for read-heavy operations
|
|
|
|
|
builder.Services.AddOutputCache(options =>
|
|
|
|
|
{
|
|
|
|
|
options.AddBasePolicy(policy => policy.Expire(TimeSpan.FromSeconds(10)));
|
|
|
|
|
options.AddPolicy("Subjects", policy => policy.Expire(TimeSpan.FromMinutes(5)));
|
|
|
|
|
options.AddPolicy("Professors", policy => policy.Expire(TimeSpan.FromMinutes(5)));
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Health checks
|
|
|
|
|
builder.Services.AddHealthChecks()
|
|
|
|
|
.AddDbContextCheck<AppDbContext>("database");
|
|
|
|
|
|
|
|
|
|
// Rate limiting (DoS prevention)
|
|
|
|
|
builder.Services.AddRateLimiter(options =>
|
|
|
|
|
{
|
|
|
|
|
options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
|
|
|
|
|
options.AddFixedWindowLimiter("graphql", limiter =>
|
|
|
|
|
{
|
|
|
|
|
limiter.PermitLimit = 100;
|
|
|
|
|
limiter.Window = TimeSpan.FromMinutes(1);
|
|
|
|
|
limiter.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
|
|
|
|
|
limiter.QueueLimit = 10;
|
|
|
|
|
});
|
|
|
|
|
options.AddFixedWindowLimiter("mutations", limiter =>
|
|
|
|
|
{
|
|
|
|
|
limiter.PermitLimit = 30;
|
|
|
|
|
limiter.Window = TimeSpan.FromMinutes(1);
|
|
|
|
|
limiter.QueueLimit = 5;
|
|
|
|
|
});
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
var app = builder.Build();
|
|
|
|
|
|
|
|
|
|
// Verify database connection and apply migrations
|
|
|
|
|
await VerifyDatabaseConnectionAsync(app);
|
|
|
|
|
|
2026-01-08 14:14:42 +00:00
|
|
|
// Create admin user if not exists
|
|
|
|
|
await CreateAdminUserAsync(app);
|
|
|
|
|
|
2026-01-08 03:59:56 +00:00
|
|
|
async Task VerifyDatabaseConnectionAsync(WebApplication app)
|
|
|
|
|
{
|
|
|
|
|
var maxRetries = 10;
|
|
|
|
|
var delay = TimeSpan.FromSeconds(5);
|
|
|
|
|
|
|
|
|
|
for (int attempt = 1; attempt <= maxRetries; attempt++)
|
|
|
|
|
{
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
using var scope = app.Services.CreateScope();
|
|
|
|
|
var db = scope.ServiceProvider.GetRequiredService<AppDbContext>();
|
|
|
|
|
|
|
|
|
|
Log.Information("Attempting database connection (attempt {Attempt}/{MaxRetries})...", attempt, maxRetries);
|
|
|
|
|
|
|
|
|
|
// Try to apply migrations - this will create the DB if it doesn't exist
|
|
|
|
|
Log.Information("Applying database migrations (this will create DB if needed)...");
|
|
|
|
|
await db.Database.MigrateAsync();
|
|
|
|
|
Log.Information("Database migrations applied successfully");
|
|
|
|
|
|
|
|
|
|
// Verify connection works after migrations
|
|
|
|
|
if (await db.Database.CanConnectAsync())
|
|
|
|
|
{
|
|
|
|
|
Log.Information("Database connection verified successfully");
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
catch (Exception ex)
|
|
|
|
|
{
|
|
|
|
|
Log.Error(ex, "Database operation failed (attempt {Attempt}/{MaxRetries}): {ErrorMessage}",
|
|
|
|
|
attempt, maxRetries, ex.Message);
|
|
|
|
|
|
|
|
|
|
if (attempt == maxRetries)
|
|
|
|
|
{
|
|
|
|
|
Log.Fatal("Could not establish database connection after {MaxRetries} attempts. " +
|
|
|
|
|
"Please verify: DB_HOST={DbHost}, DB_PORT={DbPort}, DB_NAME={DbName}, DB_USER={DbUser}",
|
|
|
|
|
maxRetries,
|
|
|
|
|
Environment.GetEnvironmentVariable("DB_HOST") ?? "localhost",
|
|
|
|
|
Environment.GetEnvironmentVariable("DB_PORT") ?? "1433",
|
|
|
|
|
Environment.GetEnvironmentVariable("DB_NAME") ?? "StudentEnrollment",
|
|
|
|
|
Environment.GetEnvironmentVariable("DB_USER") ?? "sa");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (attempt < maxRetries)
|
|
|
|
|
{
|
|
|
|
|
Log.Information("Waiting {Delay} seconds before next connection attempt...", delay.TotalSeconds);
|
|
|
|
|
await Task.Delay(delay);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-08 14:14:42 +00:00
|
|
|
async Task CreateAdminUserAsync(WebApplication app)
|
|
|
|
|
{
|
|
|
|
|
try
|
|
|
|
|
{
|
|
|
|
|
using var scope = app.Services.CreateScope();
|
|
|
|
|
var userRepo = scope.ServiceProvider.GetRequiredService<Domain.Ports.Repositories.IUserRepository>();
|
|
|
|
|
var passwordService = scope.ServiceProvider.GetRequiredService<Application.Auth.IPasswordService>();
|
|
|
|
|
var unitOfWork = scope.ServiceProvider.GetRequiredService<Domain.Ports.Repositories.IUnitOfWork>();
|
|
|
|
|
|
|
|
|
|
var adminUsername = Environment.GetEnvironmentVariable("ADMIN_USERNAME") ?? "admin";
|
|
|
|
|
var adminPassword = Environment.GetEnvironmentVariable("ADMIN_PASSWORD") ?? "admin123";
|
|
|
|
|
|
|
|
|
|
if (!await userRepo.ExistsAsync(adminUsername))
|
|
|
|
|
{
|
|
|
|
|
var passwordHash = passwordService.HashPassword(adminPassword);
|
|
|
|
|
var adminUser = Domain.Entities.User.Create(adminUsername, passwordHash, Domain.Entities.UserRoles.Admin);
|
|
|
|
|
await userRepo.AddAsync(adminUser);
|
|
|
|
|
await unitOfWork.SaveChangesAsync();
|
|
|
|
|
Log.Information("Admin user '{Username}' created successfully", adminUsername);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
Log.Information("Admin user '{Username}' already exists", adminUsername);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
catch (Exception ex)
|
|
|
|
|
{
|
|
|
|
|
Log.Warning(ex, "Could not create admin user: {Message}", ex.Message);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2026-01-08 03:59:56 +00:00
|
|
|
// Security headers (OWASP recommended)
|
|
|
|
|
app.Use(async (context, next) =>
|
|
|
|
|
{
|
|
|
|
|
var headers = context.Response.Headers;
|
|
|
|
|
headers.Append("X-Content-Type-Options", "nosniff");
|
|
|
|
|
headers.Append("X-Frame-Options", "DENY");
|
|
|
|
|
headers.Append("X-XSS-Protection", "0");
|
|
|
|
|
headers.Append("Referrer-Policy", "strict-origin-when-cross-origin");
|
|
|
|
|
headers.Append("Permissions-Policy", "geolocation=(), microphone=(), camera=()");
|
|
|
|
|
// CSP: More restrictive in production, relaxed for dev (GraphQL Playground needs unsafe-inline/eval)
|
|
|
|
|
var csp = app.Environment.IsDevelopment()
|
|
|
|
|
? "default-src 'self'; " +
|
|
|
|
|
"script-src 'self' 'unsafe-inline' 'unsafe-eval'; " +
|
|
|
|
|
"style-src 'self' 'unsafe-inline'; " +
|
|
|
|
|
"img-src 'self' data: https:; " +
|
|
|
|
|
"font-src 'self'; " +
|
|
|
|
|
"connect-src 'self' http://localhost:* https://localhost:*; " +
|
|
|
|
|
"frame-ancestors 'none'; " +
|
|
|
|
|
"base-uri 'self'; " +
|
|
|
|
|
"form-action 'self'"
|
|
|
|
|
: "default-src 'self'; " +
|
|
|
|
|
"script-src 'self'; " +
|
|
|
|
|
"style-src 'self'; " +
|
|
|
|
|
"img-src 'self' data:; " +
|
|
|
|
|
"font-src 'self'; " +
|
|
|
|
|
"connect-src 'self'; " +
|
|
|
|
|
"frame-ancestors 'none'; " +
|
|
|
|
|
"base-uri 'self'; " +
|
|
|
|
|
"form-action 'self'";
|
|
|
|
|
headers.Append("Content-Security-Policy", csp);
|
|
|
|
|
if (!context.Request.IsHttps && !app.Environment.IsDevelopment())
|
|
|
|
|
{
|
|
|
|
|
headers.Append("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
|
|
|
|
|
}
|
|
|
|
|
await next();
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Request logging (structured logs, excludes sensitive data)
|
|
|
|
|
app.UseSerilogRequestLogging(options =>
|
|
|
|
|
{
|
|
|
|
|
options.EnrichDiagnosticContext = (diagnosticContext, httpContext) =>
|
|
|
|
|
{
|
|
|
|
|
diagnosticContext.Set("RequestHost", httpContext.Request.Host.Value);
|
|
|
|
|
diagnosticContext.Set("UserAgent", httpContext.Request.Headers.UserAgent.ToString());
|
|
|
|
|
};
|
|
|
|
|
options.MessageTemplate = "HTTP {RequestMethod} {RequestPath} responded {StatusCode} in {Elapsed:0.0000} ms";
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// Middleware order matters for performance
|
|
|
|
|
app.UseResponseCompression();
|
|
|
|
|
app.UseCors();
|
2026-01-08 14:14:42 +00:00
|
|
|
app.UseAuthentication();
|
|
|
|
|
app.UseAuthorization();
|
2026-01-08 03:59:56 +00:00
|
|
|
app.UseRateLimiter();
|
|
|
|
|
app.UseOutputCache();
|
|
|
|
|
|
|
|
|
|
// Health check endpoint with JSON response
|
|
|
|
|
app.MapHealthChecks("/health", new HealthCheckOptions
|
|
|
|
|
{
|
|
|
|
|
ResponseWriter = async (context, report) =>
|
|
|
|
|
{
|
|
|
|
|
context.Response.ContentType = "application/json";
|
|
|
|
|
var result = new
|
|
|
|
|
{
|
|
|
|
|
status = report.Status.ToString(),
|
|
|
|
|
timestamp = DateTime.UtcNow,
|
|
|
|
|
checks = report.Entries.Select(e => new
|
|
|
|
|
{
|
|
|
|
|
name = e.Key,
|
|
|
|
|
status = e.Value.Status.ToString(),
|
|
|
|
|
description = e.Value.Description,
|
|
|
|
|
duration = e.Value.Duration.TotalMilliseconds
|
|
|
|
|
})
|
|
|
|
|
};
|
|
|
|
|
await context.Response.WriteAsync(JsonSerializer.Serialize(result, new JsonSerializerOptions
|
|
|
|
|
{
|
|
|
|
|
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
|
|
|
|
|
}));
|
|
|
|
|
}
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
// GraphQL endpoint with Banana Cake Pop playground and rate limiting
|
|
|
|
|
app.MapGraphQL()
|
|
|
|
|
.RequireRateLimiting("graphql")
|
|
|
|
|
.WithOptions(new HotChocolate.AspNetCore.GraphQLServerOptions
|
|
|
|
|
{
|
|
|
|
|
Tool = { Enable = app.Environment.IsDevelopment() }
|
|
|
|
|
});
|
|
|
|
|
|
|
|
|
|
await app.RunAsync();
|
|
|
|
|
}
|
|
|
|
|
catch (Exception ex)
|
|
|
|
|
{
|
|
|
|
|
Log.Fatal(ex, "Application terminated unexpectedly");
|
|
|
|
|
}
|
|
|
|
|
finally
|
|
|
|
|
{
|
|
|
|
|
await Log.CloseAndFlushAsync();
|
|
|
|
|
}
|
