Skip to content

fix: stop seeding demo accounts in prod + rotate exposed ones#28

Merged
ritsth merged 3 commits into
mainfrom
fix/prod-demo-account-exposure
Jul 2, 2026
Merged

fix: stop seeding demo accounts in prod + rotate exposed ones#28
ritsth merged 3 commits into
mainfrom
fix/prod-demo-account-exposure

Conversation

@ritsth

@ritsth ritsth commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Summary

  • DbInitializer was unconditionally seeding demo login accounts (customer1, customer2, shareholder1) into Production, and shareholder1's password was published in Markdown files/ChatBot.md — a public-repo reader could log in with real Shareholder-level access (full cross-branch inventory + business analytics).
  • Demo accounts no longer seed when IHostEnvironment.IsProduction() — still seed normally in Development/Testing so local dev and the test suite are unaffected.
  • Any copies already seeded in the live Production DB get their password hash rotated to a fresh random value (never logged/stored) on every Production startup — the published passwords stop working the moment this deploys.
  • Scrubbed the plaintext password from ChatBot.md; documented the fix in SECURITY_POSTURE.md.

Test plan

  • dotnet build BlueberryMart.Api — 0 warnings/errors
  • dotnet format BlueberryMart.Api --verify-no-changes — clean
  • dotnet test Tests/BlueberryMart.Api.Tests — 138/138 passed (Testing env still seeds demo accounts, so existing tests are unaffected)
  • After merge, confirm on Cloud Run logs that the rotation ran once against prod, then confirm shareholder1@blueberrymart.com / shareholder1_password no longer logs in

🤖 Generated with Claude Code

ritsth and others added 3 commits July 2, 2026 12:10
Adds pull_request triggers so CI runs on contributor PRs. Deploy jobs
are gated with github.event_name == 'push' so PRs test but never deploy.
Matches new required status checks in the main branch ruleset.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
DbInitializer was seeding demo login accounts (customer1/2, shareholder1)
into Production on every startup, and shareholder1's password was
published in ChatBot.md — a public-repo reader could log in with real
Shareholder-level access (full cross-branch inventory + analytics).

- SeedDemoData no longer creates the demo accounts when
  IHostEnvironment.IsProduction(); still seeds them in Development/Testing
  so the existing test suite and local dev are unaffected.
- RotateLegacyDemoAccountPasswords overwrites the password hash of any
  already-seeded copies in Production with a random, never-logged value
  on every Production startup, so the published passwords stop working
  as soon as this deploys.
- Scrubbed the plaintext password from ChatBot.md's verify example.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@ritsth ritsth merged commit ae3b976 into main Jul 2, 2026
10 checks passed
@ritsth ritsth deleted the fix/prod-demo-account-exposure branch July 2, 2026 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant