d-bis/explorer-monorepo
4
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
152e0d73452fd1db01d59385fa585570751af178
explorer-monorepo/EXECUTE_NOW.sh
Devin ad69385beb fix(security): fail-fast on missing JWT_SECRET, harden CSP, strip hardcoded passwords 
backend/api/rest/server.go:
- NewServer() now delegates to loadJWTSecret(), which:
    - Rejects JWT_SECRET < 32 bytes (log.Fatal).
    - Requires JWT_SECRET when APP_ENV=production or GO_ENV=production.
    - Generates a 32-byte crypto/rand ephemeral secret in dev only.
    - Treats rand.Read failure as fatal (removes the prior time-based
      fallback that was deterministic and forgeable).
- Default Content-Security-Policy rewritten:
    - Drops 'unsafe-inline' and 'unsafe-eval'.
    - Drops private CIDRs (192.168.11.221:854[5|6]).
    - Adds frame-ancestors 'none', base-uri 'self', form-action 'self'.
    - CSP_HEADER is required in production; fatal if unset there.

backend/api/rest/server_security_test.go (new):
- Covers the three loadJWTSecret() paths (valid, whitespace-trimmed,
  ephemeral in dev).
- Covers isProductionEnv() across APP_ENV / GO_ENV combinations.
- Asserts defaultDevCSP contains no unsafe directives or private CIDRs
  and includes the frame-ancestors / base-uri / form-action directives.

scripts/*.sh:
- Removed '***REDACTED-LEGACY-PW***' default value from SSH_PASSWORD / NEW_PASSWORD in
  7 helper scripts. Each script now fails with exit 2 and points to
  docs/SECURITY.md if the password isn't supplied via env or argv.

EXECUTE_DEPLOYMENT.sh, EXECUTE_NOW.sh:
- Replaced hardcoded DB_PASSWORD='***REDACTED-LEGACY-PW***' with a ':?' guard that
  aborts with a clear error if DB_PASSWORD (and, for EXECUTE_DEPLOYMENT,
  RPC_URL) is not exported. Other env vars keep sensible non-secret
  defaults via ${VAR:-default}.

README.md:
- Removed the hardcoded Database Password / RPC URL lines. Replaced with
  an env-variable reference table pointing at docs/SECURITY.md and
  docs/DATABASE_CONNECTION_GUIDE.md.

docs/DEPLOYMENT.md:
- Replaced 'PASSWORD: SSH password (default: ***REDACTED-LEGACY-PW***)' with a
  required-no-default contract and a link to docs/SECURITY.md.

docs/SECURITY.md (new):
- Full secret inventory keyed to the env variable name and the file that
  consumes it.
- Five-step rotation checklist covering the Postgres role, the Proxmox
  VM SSH password, JWT_SECRET, vendor API keys, and a gitleaks-based
  history audit.
- Explicit note that merging secret-scrub PRs does NOT invalidate
  already-leaked credentials; rotation is the operator's responsibility.

Verification:
- go build ./... + go vet ./... pass clean.
- Targeted tests (LoadJWTSecret*, IsProduction*, DefaultDevCSP*) pass.

Advances completion criterion 2 (Secrets & config hardened). Residual
leakage from START_HERE.md / LETSENCRYPT_CONFIGURATION_GUIDE.md is
handled by PR #2 (doc consolidation), which deletes those files.
2026-04-18 19:02:27 +00:00

83 lines
2.3 KiB
Bash
Raw Blame History

#!/bin/bash
# Complete deployment - execute this file
set -e
cd "$(dirname "$0")"
echo "=== Complete Deployment Execution ==="
echo ""
# Database credentials. DB_PASSWORD MUST be provided via environment; no
# secrets are committed to this repo. See docs/SECURITY.md.
: "${DB_PASSWORD:?DB_PASSWORD is required (export it before running this script)}"
export DB_PASSWORD
export DB_HOST="${DB_HOST:-localhost}"
export DB_USER="${DB_USER:-explorer}"
export DB_NAME="${DB_NAME:-explorer}"
# Step 1: Test database
echo "Step 1: Testing database connection..."
export PGPASSWORD="$DB_PASSWORD"
if psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -c "SELECT 1;" > /dev/null 2>&1; then
echo "✅ Database connected"
else
echo "❌ Database connection failed"
exit 1
fi
# Step 2: Check tables
echo "Step 2: Checking tables..."
TABLE_COUNT=$(psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -c "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = 'public' AND table_name IN ('wallet_nonces', 'operator_roles', 'addresses', 'token_transfers');" -t 2>/dev/null | tr -d ' ')
echo "Found $TABLE_COUNT/4 tables"
# Step 3: Run migration
if [ "$TABLE_COUNT" -lt "4" ]; then
echo "Step 3: Running migration..."
psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -f backend/database/migrations/0010_track_schema.up.sql > /dev/null 2>&1
echo "✅ Migration complete"
else
echo "Step 3: Migration already done"
fi
# Step 4: Stop server
echo "Step 4: Stopping server..."
pkill -f api-server 2>/dev/null || true
sleep 2
# Step 5: Start server
echo "Step 5: Starting server..."
cd backend
export JWT_SECRET="deployment-secret-$(date +%s)"
export RPC_URL="http://192.168.11.250:8545"
export CHAIN_ID=138
export PORT=8080
mkdir -p logs
nohup ./bin/api-server > logs/api-server.log 2>&1 &
SERVER_PID=$!
echo $SERVER_PID > logs/api-server.pid
sleep 3
# Step 6: Test
echo "Step 6: Testing endpoints..."
if curl -s http://localhost:8080/health > /dev/null; then
echo "✅ Server running (PID: $SERVER_PID)"
else
echo "❌ Server failed to start"
tail -20 logs/api-server.log
exit 1
fi
echo ""
echo "=== Deployment Complete ==="
echo "Server PID: $SERVER_PID"
echo "Port: 8080"
echo "Logs: backend/logs/api-server.log"
echo ""
echo "Test: curl http://localhost:8080/health"
unset PGPASSWORD
Reference in New Issue View Git Blame Copy Permalink