security: AI agent hardening — rate limiter keys, trusted proxy config, captcha cleanup (#1102)

This pull request adds invisible hCaptcha support to the chat widget and
strengthens security around trusted proxy handling and rate limiting.
The most important changes include server- and client-side hCaptcha
integration, improved trusted proxy CIDR configuration for forwarded
headers, and several security and code quality improvements.

**hCaptcha Integration:**

* Added invisible hCaptcha validation to chat endpoints in
`ChatController`, including a new `IsCaptchaValidAsync` method,
dependency injection of `ICaptchaService` and options, and logging for
captcha failures and service outages. The endpoints now require a valid
hCaptcha token when configured, failing open only if the hCaptcha
service is unavailable.
[[1]](diffhunk://#diff-4a94a1b44a0792e8b86260b0a32f20ffa07e3df954a2686e75fd2f2e439d61c3R4-R9)
[[2]](diffhunk://#diff-4a94a1b44a0792e8b86260b0a32f20ffa07e3df954a2686e75fd2f2e439d61c3R22-R64)
[[3]](diffhunk://#diff-4a94a1b44a0792e8b86260b0a32f20ffa07e3df954a2686e75fd2f2e439d61c3R76-R78)
[[4]](diffhunk://#diff-4a94a1b44a0792e8b86260b0a32f20ffa07e3df954a2686e75fd2f2e439d61c3R129-R135)
[[5]](diffhunk://#diff-4a94a1b44a0792e8b86260b0a32f20ffa07e3df954a2686e75fd2f2e439d61c3R233-R238)
* Updated `ChatMessageRequest` to require and document the
`CaptchaResponse` field, with validation and a larger maximum length.
* Passed the hCaptcha site key from server to client via
`_Layout.cshtml`, and rendered the invisible widget container and legal
disclosure in the chat UI only when captcha is enabled.
[[1]](diffhunk://#diff-99124c9dc22814eb65ae9a3d958e2657465c737eb30cbdeb58316c2adeef74c0R9-R13)
[[2]](diffhunk://#diff-99124c9dc22814eb65ae9a3d958e2657465c737eb30cbdeb58316c2adeef74c0R197)
[[3]](diffhunk://#diff-a3f79adcd2637b729b61fe3c2d59b4dc5b693f3603862fc546b993b65487cfa4R14)
[[4]](diffhunk://#diff-a3f79adcd2637b729b61fe3c2d59b4dc5b693f3603862fc546b993b65487cfa4R27-R38)
[[5]](diffhunk://#diff-a3f79adcd2637b729b61fe3c2d59b4dc5b693f3603862fc546b993b65487cfa4R205-R211)
* Implemented client-side hCaptcha integration in `chat-module.js`,
including widget initialization, token retrieval with timeout and error
handling, and reset logic.

**Trusted Proxy and Rate Limiting Security:**

* Enhanced trusted proxy CIDR configuration for forwarded headers in
`Program.cs`, including parsing from configuration, warnings for
missing/invalid configuration, and detailed comments about the security
implications of not setting this value.
[[1]](diffhunk://#diff-18732233c16eb367b49fa9d7a6f04dcffb924031136727c74868735c15885102L115-R133)
[[2]](diffhunk://#diff-18732233c16eb367b49fa9d7a6f04dcffb924031136727c74868735c15885102R442-R451)
[[3]](diffhunk://#diff-e47670b0d9a1e97097e60cb20a1dbf08655ba40a8196819edf43617bb0390973R5-R7)
[[4]](diffhunk://#diff-18732233c16eb367b49fa9d7a6f04dcffb924031136727c74868735c15885102R638-R640)
* Updated rate limiter partitioning to consistently use
`ClaimTypes.NameIdentifier` for user partition keys, improving stability
and reducing risk of key conflation.
[[1]](diffhunk://#diff-18732233c16eb367b49fa9d7a6f04dcffb924031136727c74868735c15885102L311-R325)
[[2]](diffhunk://#diff-18732233c16eb367b49fa9d7a6f04dcffb924031136727c74868735c15885102L329-R343)
[[3]](diffhunk://#diff-841708f0e87c8eb4799aabe8afab12259bdb8ac1baaad89a240b48bf4de5cd93L29-R29)
[[4]](diffhunk://#diff-844f40bab2fc81e7d7bbca30e8fdb1a9e954586ea54660ffadee57b6eb548f72L24)

**Other Improvements:**

* Removed the unused `requiresCaptcha` field from the rate limit error
response.
* Changed sitemap validation exception handling to only catch
`InvalidOperationException`, making error handling more precise.

These changes collectively add robust human verification to the chat
feature, improve rate limiting and IP spoofing protections, and enhance
code maintainability.

Author: BenjaminMichaelis

EssentialCSharp.Web/Controllers/ChatController.cs

@@ -2,10 +2,12 @@
 using System.Security.Claims;
 using System.Text.Json;
 using EssentialCSharp.Chat.Common.Services;
+using EssentialCSharp.Web.Models;
 using EssentialCSharp.Web.Services;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.AspNetCore.RateLimiting;
+using Microsoft.Extensions.Options;
 
 namespace EssentialCSharp.Web.Controllers;
 
@@ -18,15 +20,49 @@ public partial class ChatController : ControllerBase
 {
     private readonly AIChatService _AIChatService;
     private readonly ResponseIdValidationService _ResponseIdValidationService;
+    private readonly ICaptchaService _CaptchaService;
+    private readonly CaptchaOptions _CaptchaOptions;
     private readonly ILogger<ChatController> _Logger;
 
-    public ChatController(ILogger<ChatController> logger, AIChatService aiChatService, ResponseIdValidationService responseIdValidationService)
+    public ChatController(ILogger<ChatController> logger, AIChatService aiChatService,
+        ResponseIdValidationService responseIdValidationService,
+        ICaptchaService captchaService, IOptions<CaptchaOptions> captchaOptions)
     {
         _AIChatService = aiChatService;
         _ResponseIdValidationService = responseIdValidationService;
+        _CaptchaService = captchaService;
+        _CaptchaOptions = captchaOptions.Value;
         _Logger = logger;
     }
 
+    /// <summary>
+    /// Validates the hCaptcha token when captcha is configured.
+    /// Returns <c>true</c> when captcha is not configured (dev mode) or when the token is valid.
+    /// Returns <c>false</c> for missing or invalid tokens.
+    /// Returns <c>null</c> when hCaptcha cannot be reached, so the caller can fail closed.
+    /// </summary>
+    private async Task<bool?> IsCaptchaValidAsync(string? token, string? remoteIp, CancellationToken ct)
+    {
+        if (string.IsNullOrWhiteSpace(_CaptchaOptions.SecretKey))
+            return true; // captcha not configured — skip validation
+
+        if (string.IsNullOrWhiteSpace(token))
+            return false; // token required when captcha is configured — reject without an outbound call
+
+        HCaptchaResult? result = await _CaptchaService.VerifyAsync(token, remoteIp, ct);
+        if (result is null)
+        {
+            LogCaptchaServiceUnavailable(_Logger); // hCaptcha unreachable — fail closed
+            return null;
+        }
+
+        if (!result.Success)
+        {
+            LogCaptchaValidationFailed(_Logger, string.Join(',', result.ErrorCodes ?? []));
+        }
+        return result.Success;
+    }
+
     [HttpPost("message")]
     public async Task<IActionResult> SendMessage([FromBody] ChatMessageRequest request, CancellationToken cancellationToken = default)
     {
@@ -38,6 +74,12 @@ public async Task<IActionResult> SendMessage([FromBody] ChatMessageRequest reque
         if (string.IsNullOrEmpty(userId))
             return Unauthorized();
 
+        bool? captchaValid = await IsCaptchaValidAsync(request.CaptchaResponse, HttpContext.Connection.RemoteIpAddress?.ToString(), cancellationToken);
+        if (captchaValid is null)
+            return StatusCode(503, new { error = "Human verification is temporarily unavailable. Please try again later.", errorCode = "captcha_unavailable" });
+        if (!captchaValid.Value)
+            return StatusCode(403, new { error = "Human verification required.", errorCode = "captcha_failed" });
+
         var previousResponseId = string.IsNullOrWhiteSpace(request.PreviousResponseId)
             ? null
             : request.PreviousResponseId.Trim();
@@ -88,6 +130,20 @@ public async Task StreamMessage([FromBody] ChatMessageRequest request, Cancellat
             return;
         }
 
+        bool? captchaValid = await IsCaptchaValidAsync(request.CaptchaResponse, HttpContext.Connection.RemoteIpAddress?.ToString(), cancellationToken);
+        if (captchaValid is null)
+        {
+            Response.StatusCode = 503;
+            await Response.WriteAsJsonAsync(new { error = "Human verification is temporarily unavailable. Please try again later.", errorCode = "captcha_unavailable" }, cancellationToken);
+            return;
+        }
+        if (!captchaValid.Value)
+        {
+            Response.StatusCode = 403;
+            await Response.WriteAsJsonAsync(new { error = "Human verification required.", errorCode = "captcha_failed" }, cancellationToken);
+            return;
+        }
+
         var previousResponseId = string.IsNullOrWhiteSpace(request.PreviousResponseId)
             ? null
             : request.PreviousResponseId.Trim();
@@ -234,6 +290,12 @@ public async Task StreamMessage([FromBody] ChatMessageRequest request, Cancellat
         }
     }
 
+    [LoggerMessage(Level = LogLevel.Warning, Message = "hCaptcha service unavailable during chat request — failing closed (503)")]
+    private static partial void LogCaptchaServiceUnavailable(ILogger<ChatController> logger);
+
+    [LoggerMessage(Level = LogLevel.Warning, Message = "hCaptcha validation failed for chat request — error codes: {ErrorCodes}")]
+    private static partial void LogCaptchaValidationFailed(ILogger<ChatController> logger, string errorCodes);
+
     [LoggerMessage(Level = LogLevel.Debug, Message = "Chat stream cancelled for user {User}")]
     private static partial void LogChatStreamCancelled(ILogger<ChatController> logger, string? user);
 

EssentialCSharp.Web/Controllers/ChatMessageRequest.cs

@@ -10,5 +10,10 @@ public class ChatMessageRequest
     [StringLength(200)]
     public string? PreviousResponseId { get; set; }
     public bool EnableContextualSearch { get; set; } = true;
-    public string? CaptchaResponse { get; set; } // For future captcha implementation
+    /// <summary>
+    /// hCaptcha token obtained from the client-side invisible widget.
+    /// Required when <c>CaptchaOptions.SecretKey</c> is configured; ignored otherwise.
+    /// </summary>
+    [StringLength(2000)]
+    public string? CaptchaResponse { get; set; }
 }

EssentialCSharp.Web/Program.cs

@@ -135,8 +135,6 @@ private static void Main(string[] args)
             c.Timeout = TimeSpan.FromSeconds(3);
         });
 
-
-
         builder.Services.AddTrustedForwardedHeaders(builder.Configuration, builder.Environment);
 
         ConfigurationManager configuration = builder.Configuration;
@@ -330,7 +328,7 @@ private static void Main(string[] args)
                     return RateLimitPartition.GetNoLimiter("mcp-transport");
 
                 var partitionKey = httpContext.User.Identity?.IsAuthenticated == true
-                    ? httpContext.User.FindFirst(ClaimTypes.NameIdentifier)?.Value ?? "unknown-user"
+                    ? httpContext.User.FindFirstValue(ClaimTypes.NameIdentifier) ?? "unknown-user"
                     : httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown-ip";
 
                 return RateLimitPartition.GetFixedWindowLimiter(
@@ -348,7 +346,7 @@ private static void Main(string[] args)
             {
                 // Partitioned per-user (when authenticated) or per-IP (anonymous)
                 var partitionKey = httpContext.User.Identity?.IsAuthenticated == true
-                    ? $"chat-user:{httpContext.User.Identity.Name ?? "unknown-user"}"
+                    ? $"chat-user:{httpContext.User.FindFirstValue(ClaimTypes.NameIdentifier) ?? "unknown-user"}"
                     : $"chat-ip:{httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown-ip"}";
 
                 return RateLimitPartition.GetFixedWindowLimiter(
@@ -385,7 +383,6 @@ private static void Main(string[] args)
                     Dictionary<string, object> errorResponse = new()
                     {
                         ["error"] = "Rate limit exceeded. Please wait before sending another message.",
-                        ["requiresCaptcha"] = true,
                         ["statusCode"] = 429
                     };
                     if (retryAfterSeconds is int retryAfter)
@@ -637,16 +634,6 @@ await McpJsonRpcResponseWriter.WriteErrorAsync(
             LogSitemapValidationFailed(logger, ex);
             // Continue startup even if sitemap validation fails
         }
-        catch (ArgumentException ex)
-        {
-            LogSitemapValidationFailed(logger, ex);
-            // Continue startup even if sitemap validation fails
-        }
-        catch (FormatException ex)
-        {
-            LogSitemapValidationFailed(logger, ex);
-            // Continue startup even if sitemap validation fails
-        }
 
         app.Run();
     }

EssentialCSharp.Web/Services/ContentRateLimiterPolicy.cs

@@ -26,7 +26,7 @@ public RateLimitPartition<string> GetPartition(HttpContext httpContext)
         // Use stable user ID (GUID) for authenticated users so the bucket survives
         // username changes and doesn't conflate login/logout with scraping.
         string partitionKey = isAuthenticated
-            ? $"user:{httpContext.User.FindFirstValue(ClaimTypes.NameIdentifier) ?? httpContext.User.Identity!.Name ?? "unknown"}"
+            ? $"user:{httpContext.User.FindFirstValue(ClaimTypes.NameIdentifier) ?? "unknown-user"}"
             : $"ip:{httpContext.Connection.RemoteIpAddress?.ToString() ?? "unknown-ip"}";
 
         int perMinuteLimit = isAuthenticated ? AuthenticatedPerMinute : AnonymousPerMinute;

EssentialCSharp.Web/Services/McpRateLimiterPolicy.cs

@@ -21,7 +21,6 @@ public RateLimitPartition<string> GetPartition(HttpContext httpContext)
         if (httpContext.User.Identity?.IsAuthenticated == true)
         {
             string userId = httpContext.User.FindFirstValue(ClaimTypes.NameIdentifier)
-                ?? httpContext.User.Identity?.Name
                 ?? "unknown-user";
 
             return RateLimitPartition.GetTokenBucketLimiter(

EssentialCSharp.Web/Views/Shared/_Layout.cshtml

@@ -7,9 +7,11 @@
 @using Microsoft.AspNetCore.Identity
 @using EssentialCSharp.Web.Areas.Identity.Data
 @using Microsoft.Extensions.Configuration
+@using Microsoft.Extensions.Options
 @inject ISiteMappingService _SiteMappings
 @inject SignInManager<EssentialCSharpWebUser> SignInManager
 @inject IConfiguration Configuration
+@inject IOptions<CaptchaOptions> _CaptchaOptions
 <!DOCTYPE html>
 <html lang="en">
 <head>
@@ -193,6 +195,10 @@
             var buildLabel = ReleaseDateAttribute.GetReleaseDate() is DateTime date
                 ? TimeZoneInfo.ConvertTimeFromUtc(date, TimeZoneInfo.FindSystemTimeZoneById("Pacific Standard Time")).ToString("d MMM, yyyy h:mm:ss tt", CultureInfo.InvariantCulture)
                 : null;
+            var chatCaptchaSiteKey = !string.IsNullOrWhiteSpace(_CaptchaOptions.Value.SecretKey)
+                && !string.IsNullOrWhiteSpace(_CaptchaOptions.Value.SiteKey)
+                ? _CaptchaOptions.Value.SiteKey
+                : null;
         }
         window.PERCENT_COMPLETE = @Json.Serialize(percentComplete);
         window.PREVIOUS_PAGE = @Json.Serialize(ViewBag.PreviousPage);
@@ -204,6 +210,7 @@
         window.APPLICATIONINSIGHTS_CONNECTION_STRING = @Json.Serialize(Configuration["APPLICATIONINSIGHTS_CONNECTION_STRING"]);
         window.BUILD_LABEL = @Json.Serialize(buildLabel);
         window.ENABLE_CHAT_WIDGET = @Json.Serialize(!Context.Request.Path.StartsWithSegments("/Identity"));
+        window.HCAPTCHA_SITE_KEY = @Json.Serialize(chatCaptchaSiteKey);
     </script>
     <script src="~/dist/assets/site-shell.js" type="module" asp-append-version="true"></script>
 </body>

EssentialCSharp.Web/src/components/ChatWidget.vue

@@ -11,6 +11,7 @@ const {
     isTyping,
     chatMessagesEl,
     chatInputField,
+    captchaSiteKey,
     openChatDialog,
     closeChatDialog,
     clearChatHistory,
@@ -23,6 +24,18 @@ const {
 
 <template>
     <div class="chat-widget">
+        <!--
+            Invisible hCaptcha container: lives outside the v-if dialog so the widget
+            persists across open/close cycles and only needs to be initialized once.
+            Renders only when captcha is configured (HCAPTCHA_SITE_KEY is non-null).
+        -->
+        <div
+            v-if="captchaSiteKey"
+            id="chat-captcha-container"
+            class="visually-hidden"
+            aria-hidden="true"
+        />
+
         <button
             class="chat-button elevation-6"
             :class="{ 'chat-button--active': showChatDialog }"
@@ -189,6 +202,13 @@ const {
                             Type your question and press Enter or click send. Maximum 500 characters.
                         </div>
                     </form>
+                    <!-- hCaptcha legal disclosure required for invisible mode -->
+                    <p v-if="captchaSiteKey" class="captcha-notice small text-muted mt-1">
+                        Protected by hCaptcha —
+                        <a href="https://www.hcaptcha.com/privacy" target="_blank" rel="noopener noreferrer">Privacy</a>
+                        &amp;
+                        <a href="https://www.hcaptcha.com/terms" target="_blank" rel="noopener noreferrer">Terms</a>
+                    </p>
                 </div>
             </div>
         </div>