VRMS icon indicating copy to clipboard operation
VRMS copied to clipboard

Published 20 hours ago verified publisher icon hackforla

Address security concerns raised by #1086

Open trillium opened this issue 1 year ago • 4 comments

Overview

We have exposed secrets in our codebase that anyone can find and use to mess with our db and/or grab user data. We can fix this by updating the secrets and switching a few config objects to use process.env instead of hardcoded values. This is being addressed on the ts.use_jwt_in_config branch.

Action Items

  • Switch config files to use secrets instead of hardcoded values ⚠️ We are here
  • Update the secrets to new secrets
  • Crisis avoided

What we've done so far

  • [x] ✅ Change backend/config.auth.config.js to use process.env
  • [x] ✅ Build dev.vrms.io and confirm the site works
  • [x] ✅ Change frontend/globalSettings to use process.env
  • [x] ❌ Build dev.vrms.io and confim the site works
    • Site broke, explore why site broke
      • We think it's becasue there isn't a REACT_APP_CUSTOM_REQUEST_HEADER secret being provided to the frontend
  • [ ] Explore how secrets are provided to the frontend in the build process
  • [ ] Explore how secrets are provided to the backend in the build process
    • ~We think that the environment secrets page at hackforla/VMRS is where the secrets are held~
    • ~Neither @jbubar or me @Spiteless have access to this panel.~
    • Josh and Trillium now have access to the AWS to poke around
    • ~@bonniewolfe Can, you either look for us or provide one/both of us access to this panel so we can verify~
    • [x] Are they provided from the hackforla/VRMS github secrets page?
    • [ ] Are they provided directly in AWS somehow
    • [ ] Are they provided some other way
  • [ ] Build dev.vrms.io and confim the site works
  • [ ] Update the secrets in all the environment variables for production
  • [ ] Update the secrets in the Google Drive so later devs have the right information

trillium avatar Aug 15 '23 23:08 trillium

@Spiteless @jbubar The following people have admin access image

to this page https://github.com/hackforla/VRMS/settings/environments

Is that what you were looking for?

ExperimentsInHonesty avatar Mar 28 '24 23:03 ExperimentsInHonesty

Github secrets for that repository can be found here https://github.com/hackforla/VRMS/settings/environments/273709445/edit

JackHaeg avatar Mar 28 '24 23:03 JackHaeg

@jbubar & @Spiteless put in a request to be able to view AWS deployment.

JackHaeg avatar May 21 '24 02:05 JackHaeg

We received access to the AWS deployment and will be meeting at 3pm on Fridays to look it over

jbubar avatar Jun 18 '24 02:06 jbubar