SignalR Security

DiunaBI.API/Hubs/EntityChangeHub.cs

@@ -1,16 +1,15 @@
+using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.SignalR;
 
 namespace DiunaBI.API.Hubs;
 
+/// <summary>
+/// SignalR hub for broadcasting entity change notifications to authenticated clients.
+/// Clients can only listen - broadcasting is done server-side by EntityChangeInterceptor.
+/// </summary>
+[Authorize]
 public class EntityChangeHub : Hub
 {
-    public async Task SendEntityChange(string module, string id, string operation)
-    {
-        await Clients.All.SendAsync("EntityChanged", new
-        {
-            module,
-            id,
-            operation
-        });
-    }
+    // No public methods - clients can only listen for "EntityChanged" events
+    // Broadcasting is handled server-side by EntityChangeInterceptor via IHubContext
 }

DiunaBI.API/Program.cs

@@ -37,7 +37,12 @@ builder.Services.AddSingleton<EntityChangeInterceptor>();
 builder.Services.AddDbContext<AppDbContext>((serviceProvider, options) =>
 {
     options.UseSqlServer(connectionString, sqlOptions => sqlOptions.MigrationsAssembly("DiunaBI.Infrastructure"));
-    options.EnableSensitiveDataLogging();
+
+    // Only log SQL parameters in development (may contain sensitive data)
+    if (builder.Environment.IsDevelopment())
+    {
+        options.EnableSensitiveDataLogging();
+    }
 
     // Add EntityChangeInterceptor
     var interceptor = serviceProvider.GetRequiredService<EntityChangeInterceptor>();
@@ -254,8 +259,8 @@ app.Use(async (context, next) =>
 
 app.MapControllers();
 
-// SignalR Hub
-app.MapHub<EntityChangeHub>("/hubs/entitychanges");
+// SignalR Hub - Requires JWT authentication
+app.MapHub<EntityChangeHub>("/hubs/entitychanges").RequireAuthorization();
 
 app.MapGet("/health", () => Results.Ok(new { status = "OK", timestamp = DateTime.UtcNow }))
     .AllowAnonymous();