arthur/xtablo-source
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions 5
xtablo-source/SECURITY_NOTICE.md
Arthur Belleville 4777e3dc03
Remove secrets from env files
2025-11-04 10:53:31 +01:00

175 lines
5.3 KiB
Markdown
Raw Blame History

# ⚠️ SECURITY NOTICE - .env Files Removed from Git
## What Happened
Multiple `.env` files containing potentially sensitive credentials were being tracked in git. These files have now been **removed from version control** but remain on your local filesystem.
## Files Removed from Git
The following files were removed from git tracking:
- `api/.env.development`
- `api/.env.production`
- `api/.env.staging`
- `apps/external/.env.production`
- `apps/main/.env.production`
- `apps/main/.env.staging`
- `backend/app/.env`
- `xtablo-expo/.env`
**Note:** The files still exist locally - they're just no longer tracked by git.
## Updated .gitignore
Both `.gitignore` files have been updated to prevent this in the future:
```gitignore
# Environment files
.env*
!.env.example
```
This will:
- ✅ Ignore all `.env*` files (`.env`, `.env.development`, `.env.production`, etc.)
- ✅ Allow `.env.example` files to be committed (they should contain no real secrets)
## ⚠️ IMPORTANT: Security Actions Required
### 1. Review Git History
The `.env` files may have been committed in the past with sensitive credentials. Check the git history:
```bash
# See when .env files were last committed
git log --all --full-history -- "**/.env*"
# View the contents of a specific commit (replace COMMIT_HASH)
git show COMMIT_HASH:api/.env.production
```
### 2. Rotate Compromised Credentials
If any of these files were committed with real credentials, you should **rotate those credentials immediately**:
#### For API secrets in `api/.env.*`:
- [ ] **Supabase**: Regenerate service role key (Supabase Dashboard → Settings → API)
- [ ] **Stripe**: Regenerate secret keys (Stripe Dashboard → Developers → API keys)
- [ ] **Stream Chat**: Regenerate API secret (Stream Dashboard)
- [ ] **Email OAuth**: Revoke and regenerate OAuth tokens (Google Cloud Console)
- [ ] **Cloudflare R2**: Regenerate access keys (Cloudflare Dashboard → R2 → Manage R2 API Tokens)
#### For frontend env files:
- [ ] Check if any sensitive keys were in `apps/main/.env.*` or `apps/external/.env.*`
- [ ] Regenerate any exposed publishable keys if necessary
### 3. Use Google Secret Manager for Production
Since you've just set up Google Secret Manager, move your production secrets there:
```bash
# Migrate production secrets to Google Secret Manager
cd api
./scripts/migrate-env-to-secrets.sh .env.production your-gcp-project-id
# Verify they were created
./scripts/verify-secrets.sh your-gcp-project-id
```
After migrating:
- Delete the local `.env.production` file (or remove all sensitive values)
- Use `.env.example` as a template for what should be configured
### 4. Clean Git History (Optional but Recommended)
If sensitive credentials were committed, consider cleaning the git history. **Warning: This is destructive and requires team coordination.**
```bash
# Option A: Using BFG Repo-Cleaner (recommended)
# Download from: https://rtyley.github.io/bfg-repo-cleaner/
java -jar bfg.jar --delete-files .env.* --no-blob-protection
git reflog expire --expire=now --all
git gc --prune=now --aggressive
# Option B: Using git-filter-repo
# Install: pip install git-filter-repo
git filter-repo --path-glob '**/.env.*' --invert-paths
# After either option, force push (coordinate with team first!)
git push origin --force --all
```
**Important:** Cleaning git history will:
- Rewrite all commit hashes
- Require all team members to re-clone the repository
- Break any external references to commits (PRs, issues, etc.)
Only do this if:
1. You've confirmed sensitive credentials were committed
2. You've rotated all those credentials
3. You've coordinated with your team
### 5. Prevent Future Issues
**Best Practices:**
1. **Always use `.env.example`** files (committed) with placeholder values:
```bash
# .env.example
STRIPE_SECRET_KEY=sk_test_REPLACE_ME
SUPABASE_SERVICE_ROLE_KEY=REPLACE_WITH_YOUR_KEY
```
2. **Never commit actual `.env` files** - they're now in `.gitignore`
3. **Use Google Secret Manager** for production/staging environments
4. **Review files before committing:**
```bash
git status
git diff --cached
```
5. **Use pre-commit hooks** to prevent accidental commits:
```bash
# Install pre-commit: https://pre-commit.com/
# Add a hook to check for secrets
```
## Current Status
`.env` files removed from git tracking
`.gitignore` updated to prevent future commits
✅ Local `.env` files preserved (still work for development)
⚠️ Files staged for removal (need to commit)
## Next Steps
1. **Review this security notice carefully**
2. **Check git history** for exposed credentials
3. **Rotate any exposed credentials**
4. **Commit the changes:**
```bash
git add .gitignore
git commit -m "security: Remove .env files from git and update .gitignore"
```
5. **Push the changes** (after rotating credentials if needed)
6. **Migrate production secrets** to Google Secret Manager
## Questions or Concerns?
If you have questions about:
- What credentials might be exposed
- How to rotate specific credentials
- Cleaning git history
- Setting up Google Secret Manager
Please refer to:
- `docs/GOOGLE_SECRET_MANAGER_SETUP.md` - For Secret Manager setup
- `api/GOOGLE_SECRET_MANAGER.md` - Quick reference
- Your cloud provider's documentation for credential rotation
---
**Generated:** 2025-11-03
**Action Required:** See checklist above
Reference in a new issue View git blame Copy permalink