arthur/xtablo-source
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions 5
xtablo-source/SECURITY_NOTICE.md
Arthur Belleville 4777e3dc03
Remove secrets from env files
2025-11-04 10:53:31 +01:00

5.3 KiB
Raw Blame History

⚠️ SECURITY NOTICE - .env Files Removed from Git

What Happened

Multiple .env files containing potentially sensitive credentials were being tracked in git. These files have now been removed from version control but remain on your local filesystem.

Files Removed from Git

The following files were removed from git tracking:

  • api/.env.development
  • api/.env.production
  • api/.env.staging
  • apps/external/.env.production
  • apps/main/.env.production
  • apps/main/.env.staging
  • backend/app/.env
  • xtablo-expo/.env

Note: The files still exist locally - they're just no longer tracked by git.

Updated .gitignore

Both .gitignore files have been updated to prevent this in the future:

# Environment files
.env*
!.env.example

This will:

  • Ignore all .env* files (.env, .env.development, .env.production, etc.)
  • Allow .env.example files to be committed (they should contain no real secrets)

⚠️ IMPORTANT: Security Actions Required

1. Review Git History

The .env files may have been committed in the past with sensitive credentials. Check the git history:

# See when .env files were last committed
git log --all --full-history -- "**/.env*"

# View the contents of a specific commit (replace COMMIT_HASH)
git show COMMIT_HASH:api/.env.production

2. Rotate Compromised Credentials

If any of these files were committed with real credentials, you should rotate those credentials immediately:

For API secrets in api/.env.*:

  • Supabase: Regenerate service role key (Supabase Dashboard → Settings → API)
  • Stripe: Regenerate secret keys (Stripe Dashboard → Developers → API keys)
  • Stream Chat: Regenerate API secret (Stream Dashboard)
  • Email OAuth: Revoke and regenerate OAuth tokens (Google Cloud Console)
  • Cloudflare R2: Regenerate access keys (Cloudflare Dashboard → R2 → Manage R2 API Tokens)

For frontend env files:

  • Check if any sensitive keys were in apps/main/.env.* or apps/external/.env.*
  • Regenerate any exposed publishable keys if necessary

3. Use Google Secret Manager for Production

Since you've just set up Google Secret Manager, move your production secrets there:

# Migrate production secrets to Google Secret Manager
cd api
./scripts/migrate-env-to-secrets.sh .env.production your-gcp-project-id

# Verify they were created
./scripts/verify-secrets.sh your-gcp-project-id

After migrating:

  • Delete the local .env.production file (or remove all sensitive values)
  • Use .env.example as a template for what should be configured

4. Clean Git History (Optional but Recommended)

If sensitive credentials were committed, consider cleaning the git history. Warning: This is destructive and requires team coordination.

# Option A: Using BFG Repo-Cleaner (recommended)
# Download from: https://rtyley.github.io/bfg-repo-cleaner/
java -jar bfg.jar --delete-files .env.* --no-blob-protection
git reflog expire --expire=now --all
git gc --prune=now --aggressive

# Option B: Using git-filter-repo
# Install: pip install git-filter-repo
git filter-repo --path-glob '**/.env.*' --invert-paths

# After either option, force push (coordinate with team first!)
git push origin --force --all

Important: Cleaning git history will:

  • Rewrite all commit hashes
  • Require all team members to re-clone the repository
  • Break any external references to commits (PRs, issues, etc.)

Only do this if:

  1. You've confirmed sensitive credentials were committed
  2. You've rotated all those credentials
  3. You've coordinated with your team

5. Prevent Future Issues

Best Practices:

  1. Always use .env.example files (committed) with placeholder values:

    # .env.example
STRIPE_SECRET_KEY=sk_test_REPLACE_ME
SUPABASE_SERVICE_ROLE_KEY=REPLACE_WITH_YOUR_KEY

  2. Never commit actual .env files - they're now in .gitignore

  3. Use Google Secret Manager for production/staging environments

  4. Review files before committing:

    git status
git diff --cached

  5. Use pre-commit hooks to prevent accidental commits:

    # Install pre-commit: https://pre-commit.com/
# Add a hook to check for secrets

Current Status

.env files removed from git tracking
.gitignore updated to prevent future commits
Local .env files preserved (still work for development)
⚠️ Files staged for removal (need to commit)

Next Steps

  1. Review this security notice carefully
  2. Check git history for exposed credentials
  3. Rotate any exposed credentials
  4. Commit the changes: 
    git add .gitignore
git commit -m "security: Remove .env files from git and update .gitignore"
  5. Push the changes (after rotating credentials if needed)
  6. Migrate production secrets to Google Secret Manager

Questions or Concerns?

If you have questions about:

  • What credentials might be exposed
  • How to rotate specific credentials
  • Cleaning git history
  • Setting up Google Secret Manager

Please refer to:

  • docs/GOOGLE_SECRET_MANAGER_SETUP.md - For Secret Manager setup
  • api/GOOGLE_SECRET_MANAGER.md - Quick reference
  • Your cloud provider's documentation for credential rotation

Generated: 2025-11-03
Action Required: See checklist above