A Pick Up Line API built with .NET Core in an excuse to explore the realm of Microsoft. Using my boilerplate for Dockerized .NET Core 2.0.x Razor app boilerplate with Postgres, Gulp, Sass, ES6, custom .env vars and more.
Nothing is perfect and this project is very far from it. Bellow I document oddities to avoid unnecessary headices.
In the log there is an entry on XML DataProtection
warn: Microsoft.AspNetCore.DataProtection.KeyManagement.XmlKeyManager[35]
No XML encryptor configured. Key {....} may be persisted to storage in unencrypted form.
It might be solved by configuring data-protection
Throughout the project there are several notes regarding thing that should be changes/updated/added in order to achive a better overall security. A few examples are
- CORS is inactive
- Enviroment variables may be accessed through multiple container layers and/or process
- No viable method for error handling in controllers when assuming existing request parameters/body
Make sure you set these env vars using docker ... -e KEY="VALUE" or similar
DOTNET_ENV="Production"DATABASE_URL="postgres://user:password@host:port/db"
Many enviroment variables are stored in the env dict in Globals.cs to allow passing enviroment through docker or reading from .env, this causes appsettings.json to become unreliable. Currently both are being used and should be migrated to a better solution.
To allow migrations to be executed automatically they are being run on app start on production enviroments. This could be dangerous since data may be lost unexpectedly if an unwanted migration is commited and pushed
This is due to two main reasons.
- Postgres does by defualt not allow remote connections
- Due to Docker networking localhost inside container is not localhost outside it.
- The .NET app will always listen to port 5000
- To rename the just replace all PickupAPI entries with the name of the project as well as the project root folder