Refactor security analysis and improve caching logic

Replaced static dictionaries with FusionCache for IP analysis,
enhancing scalability and distributed cache compatibility.
Refactored novelty factor analysis with relaxed heuristics
for IP, region, and browser data, improving accuracy and
testability. Introduced `SecurityAnalysisHeuristics` for
modular helper methods and added corresponding unit tests.

Unified exception handling with a global handler and adjusted
middleware order for proper execution. Updated `UserPreference`
color lists and simplified UI interaction state adjustments.
Upgraded `Microsoft.Extensions.Logging.Abstractions` to 9.0.9.

Author: neozhu

src/Application/Pipeline/PreProcessors/ValidationPreProcessor.cs

@@ -6,7 +6,8 @@ public sealed class ValidationPreProcessor<TRequest> : IRequestPreProcessor<TReq
 
     public ValidationPreProcessor(IEnumerable<IValidator<TRequest>> validators)
     {
-        _validators = validators.ToList() ?? throw new ArgumentNullException(nameof(validators));
+        if (validators is null) throw new ArgumentNullException(nameof(validators));
+        _validators = validators.ToList();
     }
 
     public async Task Process(TRequest request, CancellationToken cancellationToken)

src/Infrastructure/Services/SecurityAnalysisHeuristics.cs

@@ -0,0 +1,89 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Net;
+using System.Text.RegularExpressions;
+
+namespace CleanArchitecture.Blazor.Infrastructure.Services;
+
+public static class SecurityAnalysisHeuristics
+{
+    public static string NormalizeIpForThrottle(string? ip)
+    {
+        if (string.IsNullOrWhiteSpace(ip)) return string.Empty;
+        if (IPAddress.TryParse(ip, out var addr))
+        {
+            if (addr.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
+            {
+                return addr.ToString();
+            }
+            if (addr.AddressFamily == System.Net.Sockets.AddressFamily.InterNetworkV6)
+            {
+                var bytes = addr.GetAddressBytes();
+                return string.Join(':', Enumerable.Range(0, 8/2).Select(i => bytes[2*i].ToString("x2") + bytes[2*i+1].ToString("x2")));
+            }
+        }
+        return ip.Trim();
+    }
+
+    public static string NormalizeIpForHeuristic(string? ip)
+    {
+        if (string.IsNullOrWhiteSpace(ip)) return string.Empty;
+        if (IPAddress.TryParse(ip, out var addr))
+        {
+            if (addr.AddressFamily == System.Net.Sockets.AddressFamily.InterNetwork)
+            {
+                var parts = ip.Split('.');
+                if (parts.Length == 4) return $"{parts[0]}.{parts[1]}.{parts[2]}.*";
+            }
+            else if (addr.AddressFamily == System.Net.Sockets.AddressFamily.InterNetworkV6)
+            {
+                var segments = ip.Split(':');
+                if (segments.Length >= 4)
+                {
+                    return string.Join(':', segments.Take(4)) + ":*";
+                }
+            }
+        }
+        return ip.Trim();
+    }
+
+    public static string ExtractUserAgentCore(string? userAgent)
+    {
+        if (string.IsNullOrWhiteSpace(userAgent)) return string.Empty;
+        var match = Regex.Match(userAgent, "(Chrome|Firefox|Safari|Edg|Edge|OPR|Opera|Brave)[/ ](?<ver>\\d+)", RegexOptions.IgnoreCase);
+        if (match.Success)
+        {
+            var name = match.Groups[1].Value;
+            var ver = match.Groups["ver"].Value;
+            return $"{name}/{ver}";
+        }
+        var token = userAgent.Split(' ').FirstOrDefault(t => t.Contains('/'));
+        if (token != null)
+        {
+            var major = token.Split('/');
+            if (major.Length == 2)
+            {
+                var digits = new string(major[1].TakeWhile(char.IsDigit).ToArray());
+                if (!string.IsNullOrEmpty(digits)) return $"{major[0]}/{digits}";
+            }
+        }
+        return userAgent.Length > 40 ? userAgent.Substring(0, 40) : userAgent;
+    }
+
+    public static string ExtractRegionHierarchy(string? regionRaw, out string? display)
+    {
+        display = regionRaw;
+        if (string.IsNullOrWhiteSpace(regionRaw)) return string.Empty;
+        var separators = new[] { '|', '-', ',', '/' };
+        var parts = regionRaw.Split(separators, StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+        if (parts.Length == 0) return regionRaw;
+        if (parts.Length == 1)
+        {
+            display = parts[0];
+            return parts[0];
+        }
+        display = string.Join("/", parts.Take(Math.Min(3, parts.Length)));
+        return string.Join("/", parts.Take(2));
+    }
+}

src/Infrastructure/Services/SecurityAnalysisService.cs

@@ -5,6 +5,8 @@
 using CleanArchitecture.Blazor.Domain.Enums;
 using CleanArchitecture.Blazor.Domain.Identity;
 using System.Collections.Concurrent;
+using System.Net;
+using System.Text.RegularExpressions;
 using ZiggyCreatures.Caching.Fusion;
 using Microsoft.Extensions.Localization;
 
@@ -19,8 +21,9 @@ public class SecurityAnalysisService : ISecurityAnalysisService
     private readonly IApplicationDbContextFactory _dbContextFactory;
     private readonly IStringLocalizer<SecurityAnalysisService> _localizer;
 
-    // Cache for IP-based analysis to reduce database queries
-    private static readonly ConcurrentDictionary<string, DateTime> _lastIpAnalysis = new();
+    // Removed static dictionary to avoid unbounded growth & per-process divergence.
+    // Use FusionCache short TTL entries (per-IP throttle) instead.
+    private const string IpThrottlePrefix = "ip-analysis-throttle:"; // key = prefix + normalizedIp
 
     public SecurityAnalysisService(
         ILogger<SecurityAnalysisService> logger,
@@ -46,11 +49,19 @@ public async Task AnalyzeUserSecurityAsync(LoginAudit loginAudit, CancellationTo
             await CreateOrUpdateRiskSummaryAsync(db, loginAudit.UserId, loginAudit.UserName, 
                 analysisResult, cancellationToken);
 
-            // Invalidate cache for the user's risk summary
-            foreach(var tag in LoginAuditCacheKey.Tags)
+            // Invalidate tags: always invalidate user-specific collections (loginaudits, userloginrisksummary)
+            // Avoid clearing aggregated 'statistics' unless the risk summary changed significantly
+            var tagsToRemove = new List<string>();
+            tagsToRemove.Add("loginaudits");
+            tagsToRemove.Add("userloginrisksummary");
+            // Heuristic: critical or high risk or change in risk level triggers statistics invalidation.
+            if (analysisResult.RiskLevel != SecurityRiskLevel.Low)
             {
-                await _fusionCache.RemoveByTagAsync(tag, token: cancellationToken);
+                tagsToRemove.Add("statistics");
             }
+            var tagRemovalTasks = tagsToRemove.Distinct()
+                .Select(tag => _fusionCache.RemoveByTagAsync(tag, token: cancellationToken).AsTask());
+            await Task.WhenAll(tagRemovalTasks);
 
             _logger.LogInformation("Security analysis completed for user {UserId}. Risk Level: {RiskLevel}, Score: {RiskScore}, Factors: {FactorCount}", 
                 loginAudit.UserId, analysisResult.RiskLevel, analysisResult.RiskScore, analysisResult.RiskFactors.Count);
@@ -129,24 +140,23 @@ private async Task<RiskAnalysisRuleResult> AnalyzeConcentratedFailuresAsync(
             result.Factors.Add(_localizer["AccountBruteForceFactor", userFailuresInWindow, _options.BruteForceWindowMinutes]);
         }
 
-        // Analyze IP-level brute force (with caching to reduce database load)
-        if (!string.IsNullOrEmpty(currentLogin.IpAddress))
+        // Analyze IP-level brute force with FusionCache throttle (multi-instance friendly if distributed layer configured)
+        if (!string.IsNullOrWhiteSpace(currentLogin.IpAddress))
         {
-            var cacheKey = $"ip_analysis_{currentLogin.IpAddress}";
-            var shouldAnalyzeIp = !_lastIpAnalysis.TryGetValue(cacheKey, out var lastAnalysis) || 
-                                 lastAnalysis < DateTime.UtcNow.AddMinutes(-5); // Analyze IP at most every 5 minutes
-
-            if (shouldAnalyzeIp)
+            var normalizedIp = SecurityAnalysisHeuristics.NormalizeIpForThrottle(currentLogin.IpAddress);
+            var throttleKey = IpThrottlePrefix + normalizedIp;
+            // Try get a throttle marker; if absent, perform analysis and set marker with short TTL.
+            var throttle = await _fusionCache.TryGetAsync<bool>(throttleKey, token: cancellationToken);
+            if (!throttle.HasValue)
             {
                 var ipAnalysisResult = await AnalyzeIpBruteForceAsync(dbContext, currentLogin, bruteForceWindow, cancellationToken);
-                
                 if (ipAnalysisResult.IsTriggered)
                 {
                     result.Score += ipAnalysisResult.Score;
                     result.Factors.AddRange(ipAnalysisResult.Factors);
                 }
-
-                _lastIpAnalysis.TryAdd(cacheKey, DateTime.UtcNow);
+                // Set marker with TTL (configurable? use 5 min default, could expose via options later)
+                await _fusionCache.SetAsync(throttleKey, true, TimeSpan.FromMinutes(5), token: cancellationToken);
             }
         }
 
@@ -193,33 +203,27 @@ private RiskAnalysisRuleResult AnalyzeNewDeviceOrLocation(List<LoginAudit> userL
 
         var newFactors = new List<string>();
 
-        // Check for new IP address (more efficient with LINQ)
-        var hasSeenIpBefore = !string.IsNullOrEmpty(currentLogin.IpAddress) && 
-                             userLoginAudits.Any(x => x.Success && 
-                                                     x.IpAddress == currentLogin.IpAddress && 
-                                                     x.Id != currentLogin.Id);
-
-        // Check for new region
-        var hasSeenRegionBefore = !string.IsNullOrEmpty(currentLogin.Region) && 
-                                 userLoginAudits.Any(x => x.Success && 
-                                                         x.Region == currentLogin.Region && 
-                                                         x.Id != currentLogin.Id);
-
-        // Check for new browser info
-        var hasSeenBrowserBefore = !string.IsNullOrEmpty(currentLogin.BrowserInfo) && 
-                                  userLoginAudits.Any(x => x.Success && 
-                                                          x.BrowserInfo == currentLogin.BrowserInfo && 
-                                                          x.Id != currentLogin.Id);
-
-        // Evaluate novelty factors
-        if (!hasSeenIpBefore && !string.IsNullOrEmpty(currentLogin.IpAddress))
-            newFactors.Add(_localizer["NewIpFactor", currentLogin.IpAddress]);
-        
-        if (!hasSeenRegionBefore && !string.IsNullOrEmpty(currentLogin.Region))
-            newFactors.Add(_localizer["NewRegionFactor", currentLogin.Region]);
-        
-        if (!hasSeenBrowserBefore && !string.IsNullOrEmpty(currentLogin.BrowserInfo))
-            newFactors.Add(_localizer["NewBrowserFactor", currentLogin.BrowserInfo]);
+        // Normalize comparison tokens
+    var currentIpCidr24 = SecurityAnalysisHeuristics.NormalizeIpForHeuristic(currentLogin.IpAddress);
+    var currentRegionLevel = SecurityAnalysisHeuristics.ExtractRegionHierarchy(currentLogin.Region, out var regionDisplay);
+    var currentUaCore = SecurityAnalysisHeuristics.ExtractUserAgentCore(currentLogin.BrowserInfo);
+
+    bool seenIpSubnet = !string.IsNullOrEmpty(currentIpCidr24) && userLoginAudits.Any(x => x.Success && SecurityAnalysisHeuristics.NormalizeIpForHeuristic(x.IpAddress) == currentIpCidr24 && x.Id != currentLogin.Id);
+    bool seenRegionLevel = !string.IsNullOrEmpty(currentRegionLevel) && userLoginAudits.Any(x => x.Success && SecurityAnalysisHeuristics.ExtractRegionHierarchy(x.Region, out _) == currentRegionLevel && x.Id != currentLogin.Id);
+    bool seenUaCore = !string.IsNullOrEmpty(currentUaCore) && userLoginAudits.Any(x => x.Success && SecurityAnalysisHeuristics.ExtractUserAgentCore(x.BrowserInfo) == currentUaCore && x.Id != currentLogin.Id);
+
+        if (!seenIpSubnet && !string.IsNullOrEmpty(currentIpCidr24))
+        {
+            newFactors.Add(_localizer["NewIpFactor", currentIpCidr24]);
+        }
+        if (!seenRegionLevel && !string.IsNullOrEmpty(regionDisplay))
+        {
+            newFactors.Add(_localizer["NewRegionFactor", regionDisplay]);
+        }
+        if (!seenUaCore && !string.IsNullOrEmpty(currentUaCore))
+        {
+            newFactors.Add(_localizer["NewBrowserFactor", currentUaCore]);
+        }
 
         if (newFactors.Any())
         {
@@ -230,6 +234,11 @@ private RiskAnalysisRuleResult AnalyzeNewDeviceOrLocation(List<LoginAudit> userL
         return result;
     }
 
+    // ---------------------------------------
+    // Helper methods for relaxed heuristics
+    // ---------------------------------------
+    // helper methods moved to SecurityAnalysisHeuristics for testability
+
     private RiskAnalysisRuleResult AnalyzeUnusualTimeLogin(LoginAudit currentLogin)
     {
         var result = new RiskAnalysisRuleResult { RuleName = "UnusualTimeLogin" };

src/Server.UI/DependencyInjection.cs

@@ -149,11 +149,14 @@ public static WebApplication ConfigureServer(this WebApplication app, IConfigura
         }
         else
         {
-            app.UseExceptionHandler("/Error", true);
+            // Unified exception handling: rely on AddExceptionHandler<GlobalExceptionHandler>() + ProblemDetails.
+            // Removed the conventional "/Error" endpoint handler to avoid duplication/conflict.
             // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts.
             app.UseHsts();
         }
 
+        // Single global exception handler registration (no path) to activate IExceptionHandler + ProblemDetails pipeline.
+        app.UseExceptionHandler();
         app.UseStatusCodePagesWithRedirects("/404");
         app.MapHealthChecks("/health");
         app.UseAuthentication();
@@ -188,8 +191,7 @@ public static WebApplication ConfigureServer(this WebApplication app, IConfigura
             localizationOptions.RequestCultureProviders.Remove(acceptLanguageProvider);
         }
         app.UseRequestLocalization(localizationOptions);
-        app.UseMiddleware<LocalizationCookiesMiddleware>();
-        app.UseExceptionHandler();
+    app.UseMiddleware<LocalizationCookiesMiddleware>();
         app.UseHangfireDashboard("/jobs", new DashboardOptions
         {
             Authorization = new[] { new HangfireDashboardAuthorizationFilter() },

src/Server.UI/Services/UserPreferences/UserPreference.cs

@@ -14,23 +14,25 @@ public class UserPreference
     // List of available primary colors
     public static readonly List<string> PrimaryColors = new()
     {
-        "#1447e6",
+        "#171717",
+        "#1d4ed8",
         "#4c1d95",
         "#5ea500",
         "#f97316",
         "#e7000b",
-        "#171717"
+        
     };
 
     // List of available dark primary colors
     public static readonly List<string> DarkPrimaryColors = new()
     {
-        "#1447e6",
+        "#e5e5e5",
+        "#1d4ed8",
         "#8e51ff",
         "#5ea500",
         "#ff6900",
         "#ff2056",
-        "#e5e5e5"
+        
     };
     /// <summary>
     /// Indicates whether the dark mode is enabled.
@@ -88,35 +90,7 @@ public class UserPreference
     /// </summary>
     public DarkLightMode DarkLightTheme { get; set; }
 
-    /// <summary>
-    /// Adjusts the brightness of a hex color.
-    /// </summary>
-    /// <param name="hexColor">The hex color code.</param>
-    /// <param name="factor">
-    /// The factor by which to adjust brightness (values less than 1 darken the color,
-    /// values greater than 1 lighten the color).
-    /// </param>
-    /// <returns>The adjusted hex color code.</returns>
-    private string AdjustBrightness(string hexColor, double factor)
-    {
-        if (string.IsNullOrWhiteSpace(hexColor))
-            throw new ArgumentException("Color code cannot be null or empty.", nameof(hexColor));
-
-        // Parse the hex color using ColorTranslator
-        Color color = ColorTranslator.FromHtml(hexColor);
-
-        // Convert RGB to HSL
-        ColorToHsl(color, out double h, out double s, out double l);
-
-        // Adjust lightness
-        l = Math.Clamp(l * factor, 0.0, 1.0);
-
-        // Convert HSL back to Color
-        Color adjustedColor = HslToColor(h, s, l);
-
-        // Return the hex representation
-        return ColorTranslator.ToHtml(adjustedColor);
-    }
+     
 
     /// <summary>
     /// Adjusts the color for UI interaction states (hover, focus) with better visual contrast.

src/Server.UI/appsettings.json

@@ -27,7 +27,7 @@
   },
   "AppConfigurationSettings": {
     "ApplicationUrl": "https://architecture.blazorserver.com",
-    "Version": "1.3.18",
+    "Version": "1.3.20",
     "App": "Blazor",
     "AppName": "Blazor Studio",
     "Company": "Company",

tests/Infrastructure.UnitTests/Infrastructure.UnitTests.csproj

@@ -21,7 +21,7 @@
       <PrivateAssets>all</PrivateAssets>
     </PackageReference>
     <PackageReference Include="Moq" Version="4.20.72" />
-    <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.8" />
+  <PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="9.0.9" />
   </ItemGroup>
 
   <ItemGroup>

tests/Infrastructure.UnitTests/Services/SecurityAnalysisHeuristicsTests.cs

@@ -0,0 +1,43 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using CleanArchitecture.Blazor.Infrastructure.Services;
+using Xunit;
+
+namespace CleanArchitecture.Blazor.Infrastructure.UnitTests.Services;
+
+public class SecurityAnalysisHeuristicsTests
+{
+    [Theory]
+    [InlineData("192.168.1.15", "192.168.1.*")]
+    [InlineData("10.0.0.200", "10.0.0.*")]
+    public void NormalizeIpForHeuristic_Ipv4_ReturnsSlash24(string ip, string expected)
+    {
+        var normalized = SecurityAnalysisHeuristics.NormalizeIpForHeuristic(ip);
+        Assert.Equal(expected, normalized);
+    }
+
+    [Fact]
+    public void ExtractUserAgentCore_ChromeFullVersion_ReturnsMajor()
+    {
+        var ua = "Mozilla/5.0 Chrome/118.0.5993.70 Safari/537.36";
+        var core = SecurityAnalysisHeuristics.ExtractUserAgentCore(ua);
+        Assert.Equal("Chrome/118", core);
+    }
+
+    [Fact]
+    public void ExtractUserAgentCore_Firefox_ReturnsMajor()
+    {
+        var ua = "Mozilla/5.0 Firefox/121.1";
+        var core = SecurityAnalysisHeuristics.ExtractUserAgentCore(ua);
+        Assert.Equal("Firefox/121", core);
+    }
+
+    [Fact]
+    public void ExtractRegionHierarchy_CountryStateCity()
+    {
+        var key = SecurityAnalysisHeuristics.ExtractRegionHierarchy("US|CA|SanFrancisco", out var display);
+        Assert.Equal("US/CA", key);
+        Assert.Equal("US/CA/SanFrancisco", display);
+    }
+}