Skip to content

Telli/DFMS_main

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
.config
.config
 
 
Areas/Identity
Areas/Identity
 
 
Content
Content
 
 
Controllers
Controllers
 
 
Helpers
Helpers
 
 
Middleware
Middleware
 
 
Migrations
Migrations
 
 
Models
Models
 
 
Properties
Properties
 
 
Repositories
Repositories
 
 
Services
Services
 
 
Settings
Settings
 
 
Tests
Tests
 
 
Views
Views
 
 
docs
docs
 
 
wwwroot
wwwroot
 
 
# MDC Sierra Leone Payments API Document_orange.md
# MDC Sierra Leone Payments API Document_orange.md
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
API Documentation Revised 1.1.docx
API Documentation Revised 1.1.docx
 
 
API Documentation Revised 1.1_rokel.pdf
API Documentation Revised 1.1_rokel.pdf
 
 
API Documentation.pdf
API Documentation.pdf
 
 
DFMS.csproj
DFMS.csproj
 
 
DFMS.sln
DFMS.sln
 
 
MDC Payment request Signed.pdf
MDC Payment request Signed.pdf
 
 
Program.cs
Program.cs
 
 
SECURITY.md
SECURITY.md
 
 
SECURITY_REMEDIATION_PLAN.md
SECURITY_REMEDIATION_PLAN.md
 
 
appsettings.Development.json
appsettings.Development.json
 
 
appsettings.Production.json.template
appsettings.Production.json.template
 
 
appsettings.json
appsettings.json
 
 
build-results.txt
build-results.txt
 
 
libman.json
libman.json
 
 
mdc sl invoice revised April.pdf
mdc sl invoice revised April.pdf
 
 
run-e2e-tests.ps1
run-e2e-tests.ps1
 
 
test-results.txt
test-results.txt
 
 

Repository files navigation

DFMS Security Guidelines

Secrets Management

⚠️ CRITICAL: Never Commit Secrets to Source Control

The following files contain sensitive information and should NEVER be committed:

  • appsettings.Production.json - Production configuration with real passwords
  • appsettings.json - Development settings (currently contains hardcoded secrets - see below)

Current Security Issues to Address

  1. Move secrets to environment variables or User Secrets:

    # Set environment variables (Windows PowerShell)
$env:ConnectionStrings__DefaultConnection = "your-connection-string"
$env:Jwt__Key = "your-jwt-key"
$env:EmailSettings__MailPassword = "your-email-password"

  2. Or use .NET User Secrets for development:

    dotnet user-secrets init
dotnet user-secrets set "Jwt:Key" "your-secure-key"
dotnet user-secrets set "ConnectionStrings:DefaultConnection" "your-connection-string"

  3. For production, use Azure Key Vault or similar

Security Fixes Applied

CSRF Protection

  • All POST methods in AdminController now have [ValidateAntiForgeryToken] attribute
  • Ensure all forms include @Html.AntiForgeryToken() or use tag helpers with asp-action

API Registration

  • The /api/authentication/register endpoint now requires Administrator role
  • Previously was open to anyone (AllowAnonymous)

Path Traversal Protection

  • File download/display functions now validate filenames
  • Path resolution ensures files are within allowed directories
  • Use FileSecurityHelper.TryGetSafeFilePath() for new file operations

Authorization

  • Users can only view their own details (unless Administrator)
  • Added proper authorization checks to Details action

Logging

  • Removed JWT key logging from AuthUserService and Program.cs
  • Never log sensitive information (passwords, tokens, keys)

Error Handling

  • Developer Exception Page only shows in Development environment
  • Production uses generic error page

Recommended Next Steps

  1. Rotate all secrets that were in appsettings.json (they're in git history)
  2. Add .gitignore with entries for: 
    appsettings.Production.json
appsettings.*.local.json
  3. Enable HTTPS redirect in production
  4. Add rate limiting to login endpoints
  5. Implement audit logging for sensitive operations
  6. Add account lockout policies (already configured in Program.cs)

Role Definitions

Role Purpose
Administrator Full system access
User Practitioner access
FacilityUser Institution/Facility access
Finance Payment-related functions
ApiUser External API integrations

About

No description, website, or topics provided.

Security policy

Security policy
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages