security(seeding): require explicit admin password outside dev/test

aalmada · aalmada · commit d5b3b5bf3675 · 2026-04-19T12:09:12.000+01:00
diff --git a/docs/guides/authentication-guide.md b/docs/guides/authentication-guide.md
@@ -59,6 +59,7 @@ graph TB
 - Tenant admin seeding now requires an explicit password outside Development/Test contexts.
 - Configure a default seed password with `Seeding:AdminPassword` (or the environment variable `Seeding__AdminPassword`) when startup seeding is enabled.
 - In Development/Test only, if no explicit password is provided, the legacy fallback `Admin123!` is still used to keep local and automated test flows deterministic.
+- For CI, staging, and production environments, always provide `Seeding__AdminPassword` through your secret store or deployment pipeline variables.
 
 Example configuration:
 
diff --git a/src/BookStore.ApiService/Handlers/TenantAdminHandler.cs b/src/BookStore.ApiService/Handlers/TenantAdminHandler.cs
@@ -4,6 +4,8 @@
 using BookStore.ApiService.Models;
 using Marten;
 using Microsoft.AspNetCore.Identity;
+using Microsoft.Extensions.Configuration;
+using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using Wolverine;
 
@@ -16,10 +18,14 @@ public static async Task Handle(
         IDocumentSession session,
         UserManager<ApplicationUser> userManager,
         IMessageBus bus,
+        IConfiguration configuration,
+        IHostEnvironment environment,
         ILogger logger,
         CancellationToken ct)
     {
         Log.Tenants.SeedingAdminUser(logger, command.TenantId, session.TenantId);
+        var defaultAdminPassword = configuration["Seeding:AdminPassword"];
+        var allowInsecureDevelopmentFallback = environment.IsDevelopment() || environment.IsEnvironment("Testing") || environment.IsEnvironment("Test");
 
         // Seed the admin user using the tenant-scoped session
         // confirmEmail is false if verification is required
@@ -28,6 +34,8 @@ public static async Task Handle(
             command.TenantId,
             command.Email,
             command.Password,
+            defaultPassword: defaultAdminPassword,
+            allowInsecureDevelopmentFallback: allowInsecureDevelopmentFallback,
             confirmEmail: !command.VerificationRequired);
 
         if (adminUser != null)
diff --git a/src/BookStore.ApiService/Infrastructure/DatabaseSeeder.cs b/src/BookStore.ApiService/Infrastructure/DatabaseSeeder.cs
@@ -23,6 +23,8 @@ public class DatabaseSeeder(
     IMessageBus bus,
     ILogger<DatabaseSeeder> logger)
 {
+    const string DevelopmentFallbackAdminPassword = "Admin123!";
+
 
     public async Task SeedTenantsAsync(string[] tenantIds)
     {
@@ -72,15 +74,24 @@ public async Task SeedTenantsAsync(string[] tenantIds)
         _ => ("BookStore", "Discover your next great read from our curated collection", "#594AE2")
     };
 
-    public async Task SeedAsync(string tenantId)
+    public async Task SeedAsync(
+        string tenantId,
+        string? defaultAdminPassword = null,
+        bool allowInsecureDevelopmentFallback = false)
     {
         // Since we use "*DEFAULT*" as the default tenant ID, we can pass it directly
         await using var session = store.LightweightSession(tenantId);
 
         // Seed tenant-specific admin user using the tenant-scoped session
         // This is outside the 'existingBooks' guard to ensure admins are always present
         // even if data was previously partially seeded. The method itself handles idempotency.
-        _ = await SeedAdminUserAsync(session, tenantId, logger: logger);
+        _ = await SeedAdminUserAsync(
+            session,
+            tenantId,
+            password: null,
+            defaultPassword: defaultAdminPassword,
+            allowInsecureDevelopmentFallback: allowInsecureDevelopmentFallback,
+            logger: logger);
 
         // Check if already seeded with books
         var existingBooks = await session.Query<BookSearchProjection>().AnyAsync();
@@ -116,6 +127,8 @@ public async Task SeedAsync(string tenantId)
         string tenantId,
         string? email = null,
         string? password = null,
+        string? defaultPassword = null,
+        bool allowInsecureDevelopmentFallback = false,
         bool confirmEmail = true,
         ILogger? logger = null)
     {
@@ -125,7 +138,10 @@ public async Task SeedAsync(string tenantId)
             : tenantId;
         var adminEmail = email ?? $"admin@{tenantAlias}.com";
 
-        var adminPassword = password ?? "Admin123!";
+        var adminPassword = ResolveAdminSeedPassword(
+            password,
+            defaultPassword,
+            allowInsecureDevelopmentFallback);
 
         // Check if admin user already exists in THIS tenant
         var existingAdmin = await session.Query<Models.ApplicationUser>()
@@ -200,6 +216,31 @@ public async Task SeedAsync(string tenantId)
         return adminUser;
     }
 
+    internal static string ResolveAdminSeedPassword(
+        string? password,
+        string? defaultPassword,
+        bool allowInsecureDevelopmentFallback)
+    {
+        if (!string.IsNullOrWhiteSpace(password))
+        {
+            return password;
+        }
+
+        if (!string.IsNullOrWhiteSpace(defaultPassword))
+        {
+            return defaultPassword;
+        }
+
+        if (allowInsecureDevelopmentFallback)
+        {
+            return DevelopmentFallbackAdminPassword;
+        }
+
+        throw new InvalidOperationException(
+            "Tenant admin seeding requires an explicit password outside Development/Test. " +
+            "Provide the command password or configure Seeding:AdminPassword.");
+    }
+
     static Dictionary<string, PublisherAdded> SeedPublishers(IDocumentSession session, ILogger logger)
     {
         Log.Seeding.SeedingPublishers(logger);
diff --git a/src/BookStore.ApiService/Infrastructure/Extensions/DatabaseExtensions.cs b/src/BookStore.ApiService/Infrastructure/Extensions/DatabaseExtensions.cs
@@ -30,6 +30,8 @@ public static void RunDatabaseSeedingAsync(this WebApplication app)
             var logger = app.Services.GetRequiredService<ILogger<Program>>();
             var env = app.Services.GetRequiredService<IHostEnvironment>();
             var seedingEnabled = app.Configuration.GetValue("Seeding:Enabled", true);
+            var seedingAdminPassword = app.Configuration["Seeding:AdminPassword"];
+            var allowInsecureDevelopmentFallback = env.IsDevelopment() || env.IsEnvironment("Testing") || env.IsEnvironment("Test");
 
             Log.Infrastructure.StartupTaskRunning(logger, env.EnvironmentName, seedingEnabled);
 
@@ -65,7 +67,10 @@ public static void RunDatabaseSeedingAsync(this WebApplication app)
                         {
                             Log.Infrastructure.SeedingTenant(logger, tenantId);
 
-                            await seeder.SeedAsync(tenantId);
+                            await seeder.SeedAsync(
+                                tenantId,
+                                seedingAdminPassword,
+                                allowInsecureDevelopmentFallback);
 
                             // Wait for async projections to process the seeded events for this tenant
                             await WaitForProjectionsAsync(store, logger, tenantId);
diff --git a/tests/BookStore.ApiService.UnitTests/Infrastructure/DatabaseSeederPasswordTests.cs b/tests/BookStore.ApiService.UnitTests/Infrastructure/DatabaseSeederPasswordTests.cs
@@ -0,0 +1,61 @@
+using BookStore.ApiService.Infrastructure;
+
+namespace BookStore.ApiService.UnitTests.Infrastructure;
+
+public class DatabaseSeederPasswordTests
+{
+    [Test]
+    [Category("Unit")]
+    public async Task ResolveAdminSeedPassword_WithExplicitPassword_ShouldReturnExplicitPassword()
+    {
+        // Act
+        var resolved = DatabaseSeeder.ResolveAdminSeedPassword(
+            password: "Explicit-Password-123!",
+            defaultPassword: "Configured-Password-123!",
+            allowInsecureDevelopmentFallback: false);
+
+        // Assert
+        _ = await Assert.That(resolved).IsEqualTo("Explicit-Password-123!");
+    }
+
+    [Test]
+    [Category("Unit")]
+    public async Task ResolveAdminSeedPassword_WithoutExplicitPassword_WithConfiguredDefault_ShouldReturnConfiguredPassword()
+    {
+        // Act
+        var resolved = DatabaseSeeder.ResolveAdminSeedPassword(
+            password: null,
+            defaultPassword: "Configured-Password-123!",
+            allowInsecureDevelopmentFallback: false);
+
+        // Assert
+        _ = await Assert.That(resolved).IsEqualTo("Configured-Password-123!");
+    }
+
+    [Test]
+    [Category("Unit")]
+    public async Task ResolveAdminSeedPassword_WithoutPasswords_InDevelopment_ShouldReturnLegacyFallback()
+    {
+        // Act
+        var resolved = DatabaseSeeder.ResolveAdminSeedPassword(
+            password: null,
+            defaultPassword: null,
+            allowInsecureDevelopmentFallback: true);
+
+        // Assert
+        _ = await Assert.That(resolved).IsEqualTo("Admin123!");
+    }
+
+    [Test]
+    [Category("Unit")]
+    public async Task ResolveAdminSeedPassword_WithoutPasswords_OutsideDevelopment_ShouldThrow()
+    {
+        // Act + Assert
+        _ = await Assert.That(() => DatabaseSeeder.ResolveAdminSeedPassword(
+                password: null,
+                defaultPassword: null,
+                allowInsecureDevelopmentFallback: false))
+            .Throws<InvalidOperationException>()
+            .WithMessage("Tenant admin seeding requires an explicit password outside Development/Test. Provide the command password or configure Seeding:AdminPassword.");
+    }
+}
