Devin
4cbea21d8f
backend/api/rest/server.go:
- NewServer() now delegates to loadJWTSecret(), which:
- Rejects JWT_SECRET < 32 bytes (log.Fatal).
- Requires JWT_SECRET when APP_ENV=production or GO_ENV=production.
- Generates a 32-byte crypto/rand ephemeral secret in dev only.
- Treats rand.Read failure as fatal (removes the prior time-based
fallback that was deterministic and forgeable).
- Default Content-Security-Policy rewritten:
- Drops 'unsafe-inline' and 'unsafe-eval'.
- Drops private CIDRs (192.168.11.221:854[5|6]).
- Adds frame-ancestors 'none', base-uri 'self', form-action 'self'.
- CSP_HEADER is required in production; fatal if unset there.
backend/api/rest/server_security_test.go (new):
- Covers the three loadJWTSecret() paths (valid, whitespace-trimmed,
ephemeral in dev).
- Covers isProductionEnv() across APP_ENV / GO_ENV combinations.
- Asserts defaultDevCSP contains no unsafe directives or private CIDRs
and includes the frame-ancestors / base-uri / form-action directives.
scripts/*.sh:
- Removed 'L@kers2010' default value from SSH_PASSWORD / NEW_PASSWORD in
7 helper scripts. Each script now fails with exit 2 and points to
docs/SECURITY.md if the password isn't supplied via env or argv.
EXECUTE_DEPLOYMENT.sh, EXECUTE_NOW.sh:
- Replaced hardcoded DB_PASSWORD='L@ker$2010' with a ':?' guard that
aborts with a clear error if DB_PASSWORD (and, for EXECUTE_DEPLOYMENT,
RPC_URL) is not exported. Other env vars keep sensible non-secret
defaults via ${VAR:-default}.
README.md:
- Removed the hardcoded Database Password / RPC URL lines. Replaced with
an env-variable reference table pointing at docs/SECURITY.md and
docs/DATABASE_CONNECTION_GUIDE.md.
docs/DEPLOYMENT.md:
- Replaced 'PASSWORD: SSH password (default: L@kers2010)' with a
required-no-default contract and a link to docs/SECURITY.md.
docs/SECURITY.md (new):
- Full secret inventory keyed to the env variable name and the file that
consumes it.
- Five-step rotation checklist covering the Postgres role, the Proxmox
VM SSH password, JWT_SECRET, vendor API keys, and a gitleaks-based
history audit.
- Explicit note that merging secret-scrub PRs does NOT invalidate
already-leaked credentials; rotation is the operator's responsibility.
Verification:
- go build ./... + go vet ./... pass clean.
- Targeted tests (LoadJWTSecret*, IsProduction*, DefaultDevCSP*) pass.
Advances completion criterion 2 (Secrets & config hardened). Residual
leakage from START_HERE.md / LETSENCRYPT_CONFIGURATION_GUIDE.md is
handled by PR #2 (doc consolidation), which deletes those files.
145 lines
4.6 KiB
Bash
145 lines
4.6 KiB
Bash
#!/bin/bash
|
|
# Complete deployment execution script
|
|
# Run this to complete all deployment steps
|
|
|
|
set -e
|
|
|
|
echo "=========================================="
|
|
echo " SolaceScan Deployment"
|
|
echo "=========================================="
|
|
echo ""
|
|
|
|
# Configuration. All secrets MUST be provided via environment variables; no
|
|
# credentials are committed to this repo. See docs/SECURITY.md for the
|
|
# rotation checklist.
|
|
: "${DB_PASSWORD:?DB_PASSWORD is required (export it or source your secrets file)}"
|
|
DB_HOST="${DB_HOST:-localhost}"
|
|
DB_USER="${DB_USER:-explorer}"
|
|
DB_NAME="${DB_NAME:-explorer}"
|
|
RPC_URL="${RPC_URL:?RPC_URL is required}"
|
|
CHAIN_ID="${CHAIN_ID:-138}"
|
|
PORT="${PORT:-8080}"
|
|
|
|
# Step 1: Test database connection
|
|
echo "[1/6] Testing database connection..."
|
|
export PGPASSWORD="$DB_PASSWORD"
|
|
if psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -c "SELECT 1;" > /dev/null 2>&1; then
|
|
echo " ✅ Database connected"
|
|
else
|
|
echo " ❌ Database connection failed"
|
|
echo ""
|
|
echo " Troubleshooting:"
|
|
echo " 1. Check PostgreSQL is running: systemctl status postgresql"
|
|
echo " 2. Setup database: sudo bash scripts/setup-database.sh"
|
|
echo " 3. Or manually create user/database (see DATABASE_SETUP_NEEDED.md)"
|
|
echo ""
|
|
echo " Quick fix: sudo bash scripts/setup-database.sh"
|
|
exit 1
|
|
fi
|
|
|
|
# Step 2: Check existing tables
|
|
echo "[2/6] Checking for existing tables..."
|
|
TABLE_COUNT=$(psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -c "SELECT COUNT(*) FROM information_schema.tables WHERE table_schema = 'public' AND table_name IN ('wallet_nonces', 'operator_roles', 'addresses', 'token_transfers');" -t 2>/dev/null | tr -d ' ')
|
|
echo " Found $TABLE_COUNT/4 track schema tables"
|
|
|
|
# Step 3: Run migration if needed
|
|
if [ "$TABLE_COUNT" -lt "4" ]; then
|
|
echo "[3/6] Running database migration..."
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
MIGRATION_FILE="$SCRIPT_DIR/backend/database/migrations/0010_track_schema.up.sql"
|
|
if psql -h "$DB_HOST" -U "$DB_USER" -d "$DB_NAME" -f "$MIGRATION_FILE" > /dev/null 2>&1; then
|
|
echo " ✅ Migration completed"
|
|
else
|
|
echo " ⚠️ Migration may have partially completed (some tables may already exist)"
|
|
fi
|
|
else
|
|
echo "[3/6] Migration already complete (tables exist)"
|
|
fi
|
|
|
|
# Step 4: Stop existing server
|
|
echo "[4/6] Stopping existing server..."
|
|
pkill -f api-server 2>/dev/null || true
|
|
sleep 2
|
|
echo " ✅ Server stopped"
|
|
|
|
# Step 5: Start server
|
|
echo "[5/6] Starting API server..."
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
cd "$SCRIPT_DIR/backend"
|
|
|
|
export DB_PASSWORD
|
|
export JWT_SECRET="deployment-secret-$(date +%s)"
|
|
export RPC_URL
|
|
export CHAIN_ID
|
|
export PORT
|
|
export DB_HOST
|
|
export DB_USER
|
|
export DB_NAME
|
|
|
|
mkdir -p logs
|
|
nohup ./bin/api-server > logs/api-server.log 2>&1 &
|
|
SERVER_PID=$!
|
|
echo $SERVER_PID > logs/api-server.pid
|
|
|
|
# Wait for server to start
|
|
echo " Waiting for server to start..."
|
|
for i in {1..10}; do
|
|
if curl -s http://localhost:8080/health > /dev/null 2>&1; then
|
|
echo " ✅ Server started (PID: $SERVER_PID)"
|
|
break
|
|
fi
|
|
if [ $i -eq 10 ]; then
|
|
echo " ❌ Server failed to start"
|
|
echo " Check logs: tail -20 logs/api-server.log"
|
|
exit 1
|
|
fi
|
|
sleep 1
|
|
done
|
|
|
|
# Step 6: Test endpoints
|
|
echo "[6/6] Testing endpoints..."
|
|
echo -n " Health endpoint... "
|
|
if curl -s http://localhost:8080/health | grep -q "healthy\|degraded"; then
|
|
echo "✅"
|
|
else
|
|
echo "⚠️"
|
|
fi
|
|
|
|
echo -n " Feature flags... "
|
|
if curl -s http://localhost:8080/api/v1/features | grep -q "track"; then
|
|
echo "✅"
|
|
else
|
|
echo "⚠️"
|
|
fi
|
|
|
|
echo -n " Track 1 blocks... "
|
|
HTTP_CODE=$(curl -s -w "%{http_code}" -o /dev/null "http://localhost:8080/api/v1/track1/blocks/latest?limit=1")
|
|
if [ "$HTTP_CODE" = "200" ]; then
|
|
echo "✅"
|
|
else
|
|
echo "⚠️ (HTTP $HTTP_CODE)"
|
|
fi
|
|
|
|
echo ""
|
|
echo "=========================================="
|
|
echo " ✅ Deployment Complete!"
|
|
echo "=========================================="
|
|
echo ""
|
|
echo "Server Information:"
|
|
echo " PID: $SERVER_PID"
|
|
echo " Port: $PORT"
|
|
echo " Logs: $SCRIPT_DIR/backend/logs/api-server.log"
|
|
echo ""
|
|
echo "Test Commands:"
|
|
echo " curl http://localhost:8080/health"
|
|
echo " curl http://localhost:8080/api/v1/features"
|
|
echo " curl http://localhost:8080/api/v1/track1/blocks/latest?limit=5"
|
|
echo ""
|
|
echo "Next Steps:"
|
|
echo " 1. Test authentication: curl -X POST http://localhost:8080/api/v1/auth/nonce -H 'Content-Type: application/json' -d '{\"address\":\"0xYourAddress\"}'"
|
|
echo " 2. Approve users: bash scripts/approve-user.sh <address> <track_level>"
|
|
echo " 3. Monitor: tail -f backend/logs/api-server.log"
|
|
echo ""
|
|
|
|
unset PGPASSWORD
|