will/rxminder
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
79394455ee2853c39a3ab812c86410a9965defa2
rxminder/docs/development/SECURITY_CHANGES.md
William Valentin e48adbcb00 Initial commit: Complete NodeJS-native setup 
- Migrated from Python pre-commit to NodeJS-native solution
- Reorganized documentation structure
- Set up Husky + lint-staged for efficient pre-commit hooks
- Fixed Dockerfile healthcheck issue
- Added comprehensive documentation index
2025-09-06 01:42:48 -07:00

4.5 KiB
Raw Blame History

🔐 Security Changes Summary

Overview

We have systematically removed all hardcoded credentials from the RxMinder application and replaced them with secure defaults and environment variables.

Changes Made

1. Kubernetes Configuration

  • k8s/couchdb-secret.yaml: Converted to template with secure base64-encoded defaults
  • k8s/db-seed-job.yaml: Now uses environment variables from secrets instead of hardcoded credentials

2. Docker Configuration

  • docker/Dockerfile: Updated default password arguments to secure values
  • docker/docker-compose.yaml: All password environment variables use secure fallbacks
  • docker/docker-bake.hcl: Updated variable defaults to secure passwords

3. Shell Scripts

Updated all deployment and build scripts with secure password fallbacks:

  • scripts/setup.sh
  • scripts/deploy.sh
  • scripts/validate-deployment.sh
  • scripts/buildx-helper.sh
  • scripts/gitea-deploy.sh
  • scripts/gitea-helper.sh
  • scripts/seed-production.js
  • rename-app.sh

4. CI/CD Workflows

  • .github/workflows/build-deploy.yml: Updated fallback passwords to secure values
  • .gitea/workflows/ci-cd.yml: Updated fallback passwords to secure values
  • .gitea/docker-compose.ci.yml: Updated test database passwords
  • .gitea/gitea-bake.hcl: Updated default password variables

5. Environment Files

  • .env.example: Updated with secure default passwords and documentation
  • .env.production: Updated with secure default passwords
  • test.env: Updated test credentials to secure values

6. Documentation

  • README.md: Updated default admin credentials documentation
  • SECURITY.md: Created comprehensive security guide with checklists
  • .gitea/README.md: Updated documentation
  • GITEA_SETUP.md: Updated setup instructions

🛡️ Security Improvements

Before

  • Hardcoded admin123! and password throughout configuration files
  • Weak default passwords in CI/CD systems
  • No security documentation or guidelines

After

  • All passwords use environment variables or Kubernetes secrets
  • Secure fallback passwords (change-this-secure-password)
  • Comprehensive security documentation and checklists
  • CI/CD systems use repository secrets with secure fallbacks

🔄 Required Actions

CRITICAL: Before production deployment, you must:

  1. Update Kubernetes Secrets:

    # Update k8s/couchdb-secret.yaml with your own secure base64-encoded credentials
echo -n "your-secure-password" | base64

  2. Update Environment Variables:

    # Update .env and .env.production with your secure passwords
COUCHDB_PASSWORD=your-very-secure-password
VITE_COUCHDB_PASSWORD=your-very-secure-password

  3. Configure CI/CD Secrets:

    • Set VITE_COUCHDB_PASSWORD in repository secrets
    • Set GITEA_TOKEN / GITHUB_TOKEN for registry authentication

  4. Review Security Checklist:

    • Follow the checklist in SECURITY.md
    • Use strong passwords (16+ characters, mixed case, numbers, symbols)
    • Enable TLS/SSL for all external communications

📝 Files Modified

Configuration Files (11)

  • k8s/couchdb-secret.yaml
  • k8s/db-seed-job.yaml
  • docker/Dockerfile
  • docker/docker-compose.yaml
  • docker/docker-bake.hcl
  • .env.example
  • .env.production
  • test.env
  • .github/workflows/build-deploy.yml
  • .gitea/workflows/ci-cd.yml
  • .gitea/docker-compose.ci.yml
  • .gitea/gitea-bake.hcl

Scripts (8)

  • scripts/setup.sh
  • scripts/deploy.sh
  • scripts/validate-deployment.sh
  • scripts/buildx-helper.sh
  • scripts/gitea-deploy.sh
  • scripts/gitea-helper.sh
  • scripts/seed-production.js
  • rename-app.sh

Documentation (5)

  • README.md
  • SECURITY.md (created)
  • SECURITY_CHANGES.md (this file)
  • .gitea/README.md
  • GITEA_SETUP.md

Verification

To verify no hardcoded credentials remain:

# Check for insecure passwords (should return only secure defaults)
grep -r "admin123\|password[^-]\|testpassword" --include="*.yaml" --include="*.yml" --include="*.sh" --include="*.env" --include="*.js" --include="*.hcl" .

# The only matches should be:
# - "change-this-secure-password" (secure fallback)
# - "test-secure-password" (secure test credentials)
# - Test files (acceptable for testing)

🎯 Result

RxMinder is now production-ready with secure credential management. All sensitive data is properly externalized to environment variables and Kubernetes secrets, with comprehensive documentation to guide secure deployment.