mirror of
https://github.com/Memo-2023/mana-monorepo.git
synced 2026-05-14 21:41:09 +02:00
🔒 security(auth): migrate to EdDSA JWT and add automated monitoring
BREAKING: JWT keys are now auto-managed by Better Auth (EdDSA/Ed25519) - Remove all JWT_PRIVATE_KEY, JWT_PUBLIC_KEY, JWT_SECRET references - Keys stored in auth.jwks database table (auto-generated on first run) - Delete obsolete generate-keys.sh and generate-staging-secrets.sh scripts - Clean up legacy AUTH_*.md analysis files from root Security Improvements: - Add security_events table for audit logging - Add SecurityEventsService for tracking auth events - Enhanced security headers (HSTS, CSP, X-Frame-Options) - Rate limiting configuration Monitoring Setup: - Add auth-health-check.sh for automated testing - Add generate-dashboard.sh for HTML status dashboard - Tests: health endpoint, JWKS (EdDSA), security headers, response time - Ready for Hetzner cron deployment Documentation: - Update deployment docs with Better Auth notes - Update environment variable references - Add security improvements documentation 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Wuesteon
parent
1214c78a3c
commit
4d15d9e764
56 changed files with 6870 additions and 4154 deletions
|
|
@ -66,8 +66,7 @@ const APP_CONFIGS = [
|
|||
REDIS_HOST: (env) => env.REDIS_HOST,
|
||||
REDIS_PORT: (env) => env.REDIS_PORT,
|
||||
REDIS_PASSWORD: (env) => env.REDIS_PASSWORD || '',
|
||||
JWT_PRIVATE_KEY: (env) => env.JWT_PRIVATE_KEY,
|
||||
JWT_PUBLIC_KEY: (env) => env.JWT_PUBLIC_KEY,
|
||||
// JWT keys managed by Better Auth (EdDSA) - stored in auth.jwks table
|
||||
JWT_ACCESS_TOKEN_EXPIRY: (env) => env.JWT_ACCESS_TOKEN_EXPIRY,
|
||||
JWT_REFRESH_TOKEN_EXPIRY: (env) => env.JWT_REFRESH_TOKEN_EXPIRY,
|
||||
JWT_ISSUER: (env) => env.JWT_ISSUER,
|
||||
|
|
@ -341,7 +340,7 @@ const APP_CONFIGS = [
|
|||
MANA_CORE_AUTH_URL: (env) => env.MANA_CORE_AUTH_URL,
|
||||
DEV_BYPASS_AUTH: () => 'true',
|
||||
DEV_USER_ID: (env) => env.DEV_USER_ID || '00000000-0000-0000-0000-000000000000',
|
||||
JWT_PUBLIC_KEY: (env) => env.JWT_PUBLIC_KEY,
|
||||
// JWT keys fetched via JWKS from MANA_CORE_AUTH_URL/api/v1/auth/jwks
|
||||
CORS_ORIGINS: (env) => env.CORS_ORIGINS,
|
||||
},
|
||||
},
|
||||
|
|
|
|||
|
|
@ -1,124 +0,0 @@
|
|||
#!/bin/bash
|
||||
|
||||
# Generate Staging Secrets for GitHub
|
||||
# Run this script and copy the output to GitHub Secrets
|
||||
|
||||
set -e
|
||||
|
||||
echo "================================================"
|
||||
echo " STAGING SECRETS GENERATOR"
|
||||
echo "================================================"
|
||||
echo ""
|
||||
echo "Copy each value below to GitHub Settings → Secrets and variables → Actions"
|
||||
echo ""
|
||||
echo "Note: Configuration values (host, ports, etc.) are now hardcoded in the workflow"
|
||||
echo "Only sensitive values (passwords, keys) need to be added as secrets"
|
||||
echo ""
|
||||
echo "================================================"
|
||||
echo ""
|
||||
|
||||
# Generate secure random passwords
|
||||
POSTGRES_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
|
||||
REDIS_PASSWORD=$(openssl rand -base64 32 | tr -d "=+/" | cut -c1-32)
|
||||
JWT_SECRET=$(openssl rand -base64 64 | tr -d "=+/" | cut -c1-64)
|
||||
|
||||
# Generate Ed25519 key pair for JWT
|
||||
TEMP_KEY_DIR=$(mktemp -d)
|
||||
ssh-keygen -t ed25519 -f "$TEMP_KEY_DIR/jwt_key" -N "" -C "manacore-staging-jwt" > /dev/null 2>&1
|
||||
|
||||
# Convert SSH keys to raw format for JWT
|
||||
PRIVATE_KEY=$(cat "$TEMP_KEY_DIR/jwt_key" | grep -v "BEGIN" | grep -v "END" | tr -d '\n')
|
||||
PUBLIC_KEY=$(ssh-keygen -e -m PKCS8 -f "$TEMP_KEY_DIR/jwt_key.pub" 2>/dev/null | grep -v "BEGIN" | grep -v "END" | tr -d '\n' || cat "$TEMP_KEY_DIR/jwt_key.pub" | awk '{print $2}')
|
||||
|
||||
# Clean up temp files
|
||||
rm -rf "$TEMP_KEY_DIR"
|
||||
|
||||
# Output all secrets in GitHub format
|
||||
echo "# ============================================"
|
||||
echo "# DATABASE SECRETS (2 secrets)"
|
||||
echo "# ============================================"
|
||||
echo ""
|
||||
echo "STAGING_POSTGRES_PASSWORD"
|
||||
echo "$POSTGRES_PASSWORD"
|
||||
echo ""
|
||||
|
||||
echo "# ============================================"
|
||||
echo "# REDIS SECRETS (1 secret)"
|
||||
echo "# ============================================"
|
||||
echo ""
|
||||
echo "STAGING_REDIS_PASSWORD"
|
||||
echo "$REDIS_PASSWORD"
|
||||
echo ""
|
||||
|
||||
echo "# ============================================"
|
||||
echo "# MANA CORE AUTH SECRETS (3 secrets)"
|
||||
echo "# ============================================"
|
||||
echo ""
|
||||
echo "STAGING_JWT_SECRET"
|
||||
echo "$JWT_SECRET"
|
||||
echo ""
|
||||
echo "STAGING_JWT_PUBLIC_KEY"
|
||||
echo "$PUBLIC_KEY"
|
||||
echo ""
|
||||
echo "STAGING_JWT_PRIVATE_KEY"
|
||||
echo "$PRIVATE_KEY"
|
||||
echo ""
|
||||
|
||||
echo "# ============================================"
|
||||
echo "# SUPABASE SECRETS (Fill these manually - 3 secrets)"
|
||||
echo "# ============================================"
|
||||
echo ""
|
||||
echo "STAGING_SUPABASE_URL"
|
||||
echo "https://YOUR_PROJECT.supabase.co"
|
||||
echo ""
|
||||
echo "STAGING_SUPABASE_ANON_KEY"
|
||||
echo "YOUR_SUPABASE_ANON_KEY_HERE"
|
||||
echo ""
|
||||
echo "STAGING_SUPABASE_SERVICE_ROLE_KEY"
|
||||
echo "YOUR_SUPABASE_SERVICE_ROLE_KEY_HERE"
|
||||
echo ""
|
||||
|
||||
echo "# ============================================"
|
||||
echo "# AZURE OPENAI SECRETS (Fill these manually - 2 secrets)"
|
||||
echo "# ============================================"
|
||||
echo ""
|
||||
echo "STAGING_AZURE_OPENAI_ENDPOINT"
|
||||
echo "https://YOUR_RESOURCE.openai.azure.com/"
|
||||
echo ""
|
||||
echo "STAGING_AZURE_OPENAI_API_KEY"
|
||||
echo "YOUR_AZURE_OPENAI_API_KEY_HERE"
|
||||
echo ""
|
||||
|
||||
echo "# ============================================"
|
||||
echo "# SSH DEPLOYMENT SECRETS (Fill these manually - 1 secret)"
|
||||
echo "# ============================================"
|
||||
echo ""
|
||||
echo "STAGING_SSH_KEY"
|
||||
echo "Run: cat ~/.ssh/hetzner_deploy_key"
|
||||
echo "(Copy the ENTIRE output including -----BEGIN and -----END lines)"
|
||||
echo ""
|
||||
|
||||
echo "================================================"
|
||||
echo " SUMMARY"
|
||||
echo "================================================"
|
||||
echo ""
|
||||
echo "Total secrets to add: 12"
|
||||
echo " - Auto-generated: 6 (passwords, JWT keys)"
|
||||
echo " - Manual: 6 (Supabase, Azure, SSH key)"
|
||||
echo ""
|
||||
echo "The following are now HARDCODED in the workflow:"
|
||||
echo " - POSTGRES_HOST, POSTGRES_PORT, POSTGRES_DB, POSTGRES_USER"
|
||||
echo " - REDIS_HOST, REDIS_PORT"
|
||||
echo " - MANA_SERVICE_URL"
|
||||
echo " - STAGING_HOST (46.224.108.214)"
|
||||
echo " - STAGING_USER (deploy)"
|
||||
echo ""
|
||||
echo "================================================"
|
||||
echo ""
|
||||
echo "Next steps:"
|
||||
echo "1. Go to: https://github.com/YOUR_ORG/manacore-monorepo/settings/secrets/actions"
|
||||
echo "2. Click 'New repository secret' for each value above"
|
||||
echo "3. Copy the secret name (e.g., STAGING_POSTGRES_PASSWORD)"
|
||||
echo "4. Copy the secret value (the line below the name)"
|
||||
echo "5. Fill in Supabase, Azure, and SSH key values manually"
|
||||
echo ""
|
||||
Loading…
Add table
Add a link
Reference in a new issue