dimitar/fitaiProto
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
275248fc35
fitaiProto/SECURITY.md
echo 2c4927478a phase 1-6 implemented
2026-03-10 04:14:03 +01:00

128 lines
4.1 KiB
Markdown
Raw Blame History

# 🚨 SECURITY ALERT - IMMEDIATE ACTION REQUIRED
## Exposed API Keys in Git History
The following API keys were accidentally committed to the repository and **MUST BE ROTATED IMMEDIATELY**:
### 1. Clerk Authentication Keys (Admin App)
- **File**: `apps/admin/.env` (now removed from tracking)
- **Exposed Keys**:
- `NEXT_PUBLIC_CLERK_PUBLISHABLE_KEY`: `pk_test_bmVlZGVkLWVsZXBoYW50LTY0LmNsZXJrLmFjY291bnRzLmRldiQ`
- `CLERK_SECRET_KEY`: `sk_test_qnWnZSem1ZkodRip9NZDXszDnCP91HwlNwtAUAcHZ1` ⚠️ **CRITICAL**
- `CLERK_WEBHOOK_SECRET`: `whsec_TmM402k0pO/Au9u0vcJ1wLOoxvmeNOw+` ⚠️ **CRITICAL**
### 2. Clerk Authentication Key (Mobile App)
- **File**: `apps/mobile/.env` (now removed from tracking)
- **Exposed Key**:
- `EXPO_PUBLIC_CLERK_PUBLISHABLE_KEY`: `pk_test_bmVlZGVkLWVsZXBoYW50LTY0LmNsZXJrLmFjY291bnRzLmRldiQ`
### 3. DeepSeek API Key (Admin App)
- **File**: `apps/admin/.env`
- **Exposed Key**:
- `DEEPSEEK_API_KEY`: `sk-6c2e965d97a349f08ae1c3386dabdf85` ⚠️ **CRITICAL**
## Required Actions
### Step 1: Rotate All Keys Immediately
#### Clerk Keys
1. Go to https://dashboard.clerk.com
2. Navigate to your project settings
3. **Rotate the secret key** (this will invalidate the old one)
4. **Regenerate webhook secret** in the Webhooks section
5. Update your local `.env` files with new keys (DO NOT commit them)
6. Update production environment variables
#### DeepSeek API Key
1. Go to https://platform.deepseek.com
2. Navigate to API Keys section
3. **Delete the exposed key**: `sk-6c2e965d97a349f08ae1c3386dabdf85`
4. **Generate a new API key**
5. Update your local `.env` file (DO NOT commit it)
6. Update production environment variables
### Step 2: Remove Secrets from Git History
⚠️ **WARNING**: This will rewrite git history. Coordinate with your team before proceeding.
```bash
# Option 1: Using BFG Repo-Cleaner (recommended)
# Install BFG: https://rtyley.github.io/bfg-repo-cleaner/
bfg --replace-text <(echo 'sk_test_qnWnZSem1ZkodRip9NZDXszDnCP91HwlNwtAUAcHZ1==>***REMOVED***')
bfg --replace-text <(echo 'whsec_TmM402k0pO/Au9u0vcJ1wLOoxvmeNOw+==>***REMOVED***')
bfg --replace-text <(echo 'sk-6c2e965d97a349f08ae1c3386dabdf85==>***REMOVED***')
git reflog expire --expire=now --all
git gc --prune=now --aggressive
# Option 2: Using git filter-branch (if BFG not available)
git filter-branch --force --index-filter \
"git rm --cached --ignore-unmatch apps/admin/.env apps/mobile/.env" \
--prune-empty --tag-name-filter cat -- --all
```
### Step 3: Force Push (Coordinate with Team)
```bash
git push origin --force --all
git push origin --force --tags
```
### Step 4: Verify .gitignore
Ensure the following files are in `.gitignore`:
-`.env` (all variants)
-`*.db` (database files)
-`*.log` (log files)
-`backups/` (backup directories)
### Step 5: Set Up Environment Variables Properly
#### For Local Development
1. Copy `.env.example` to `.env`:
```bash
cd apps/admin && cp .env.example .env
cd apps/mobile && cp .env.example .env
```
2. Fill in the **new** API keys (never commit these files)
#### For Production/Staging
Use your hosting platform's environment variable management:
- **Vercel**: Settings → Environment Variables
- **Netlify**: Site settings → Build & deploy → Environment
- **Expo**: Use `eas secret:create` for mobile app secrets
## Prevention Measures Implemented
1. ✅ Updated `.gitignore` to exclude all `.env` files
2. ✅ Created `.env.example` files with placeholder values
3. ✅ Added database files and logs to `.gitignore`
4. ⏳ TODO: Add pre-commit hook to prevent secret commits
5. ⏳ TODO: Set up secret scanning in CI/CD
## Additional Security Recommendations
1. **Enable Clerk's IP allowlisting** to restrict API access
2. **Monitor Clerk dashboard** for unusual activity
3. **Review DeepSeek API usage** for unauthorized requests
4. **Set up rate limiting** on all authentication endpoints (in progress)
5. **Enable 2FA** on all service accounts (Clerk, DeepSeek, hosting platforms)
## Questions?
If you need help with any of these steps, please reach out to the security team immediately.
---
**Created**: $(date)
**Status**: URGENT - Keys rotation in progress
**Last Updated**: $(date)
Reference in New Issue View Git Blame Copy Permalink