From 62df5073069553112ac2dc010d9ddde3946d1923 Mon Sep 17 00:00:00 2001 From: way2nafea Date: Mon, 6 Jul 2026 14:32:10 +0530 Subject: [PATCH 1/2] chore(secrets): remove tracked backend/.env from index, add .env.example, sanitize env and document usage --- .gitignore | 38 +++++++++ README.md | 42 ++++++++++ backend/.env | 158 ------------------------------------- backend/.env.example | 56 +++++++++++++ backend/docker-compose.yml | 6 +- 5 files changed, 139 insertions(+), 161 deletions(-) create mode 100644 .gitignore delete mode 100644 backend/.env diff --git a/.gitignore b/.gitignore new file mode 100644 index 00000000..33aec596 --- /dev/null +++ b/.gitignore @@ -0,0 +1,38 @@ +# Python +__pycache__/ +*.py[cod] +*.pyo +*.pyd +env/ +venv/ +ENV/ +.venv/ + +# Environment files +.env +*.env +backend/.env + +# Node +node_modules/ +dist/ +frontend/dist/ +frontend/node_modules/ + +# Build +.vite/ +/.nitro + +# IDEs +.vscode/ +.idea/ +*.suo +*.ntvs* +*.njsproj +*.sln +*.swp +.DS_Store + +# Logs +logs/ +*.log diff --git a/README.md b/README.md index 97a788c8..85d6cd16 100644 --- a/README.md +++ b/README.md @@ -395,6 +395,48 @@ VITE_APP_NAME=DevLink --- +## Managing Secrets (local development) + +IMPORTANT: Do not commit real secrets to the repository. Use `backend/.env.example` as a template and create a local `backend/.env` that is ignored by git. + +1. Copy the example file locally: + +```bash +cp backend/.env.example backend/.env +``` + +2. Generate a strong `SECRET_KEY` (example using Python): + +```bash +python -c "import secrets; print(secrets.token_urlsafe(48))" > /dev/null +# then paste the printed value into backend/.env for SECRET_KEY +``` + +Or using OpenSSL: + +```bash +openssl rand -base64 48 +``` + +3. Store database credentials locally only (do not commit). For development with `docker-compose`, you can set the DB password in your shell or a local `.env` copied from the example: + +```bash +export POSTGRES_PASSWORD="your_local_db_password" +docker compose up +``` + +4. Rotating secrets: + +- Revoke or rotate any API keys (OpenAI, Cloudinary, AWS) from their provider consoles. +- Change your database password and update any environment variables or secret stores. +- Generate a new `SECRET_KEY` and deploy it to your environment. +- Invalidate existing user sessions/tokens if possible (rotate DB token version or flush token blacklist store). + +5. After rotating, ensure CI/CD uses secure secret storage (GitHub Actions secrets, Vault, AWS Secrets Manager) rather than reading secrets from repo files. + +If any secret was previously committed, remove it from git history (force push required). See the Security section for suggested steps. + + # Development Workflow ``` diff --git a/backend/.env b/backend/.env deleted file mode 100644 index 6d4e283c..00000000 --- a/backend/.env +++ /dev/null @@ -1,158 +0,0 @@ -# ========================================================== -# DevLink Backend Environment Configuration -# ========================================================== - -# ---------------------------------------------------------- -# Application -# ---------------------------------------------------------- - -APP_NAME="DevLink API" -APP_VERSION="1.0.0" -ENVIRONMENT="development" -DEBUG=true - -HOST="0.0.0.0" -PORT=8000 - -# ---------------------------------------------------------- -# Security -# ---------------------------------------------------------- - -SECRET_KEY="CHANGE_THIS_TO_A_LONG_RANDOM_SECRET_KEY_AT_LEAST_64_CHARACTERS" - -JWT_ALGORITHM="HS256" - -ACCESS_TOKEN_EXPIRE_MINUTES=30 -REFRESH_TOKEN_EXPIRE_DAYS=7 - -PASSWORD_HASH_SCHEME="bcrypt" - -# ---------------------------------------------------------- -# Database -# ---------------------------------------------------------- - -DATABASE_URL="postgresql+psycopg://postgres:devlink123@localhost:5432/devlink" - -# ---------------------------------------------------------- -# Redis -# ---------------------------------------------------------- - -REDIS_URL="redis://localhost:6379/0" - -# ---------------------------------------------------------- -# CORS -# ---------------------------------------------------------- - -ALLOWED_ORIGINS=http://localhost:5173,http://localhost:5174,http://localhost:3000 - -# ---------------------------------------------------------- -# Email -# ---------------------------------------------------------- - -SMTP_HOST="smtp.gmail.com" -SMTP_PORT=587 - -SMTP_USERNAME="" -SMTP_PASSWORD="" - -EMAIL_FROM="noreply@devlink.app" - -# ---------------------------------------------------------- -# GitHub OAuth -# ---------------------------------------------------------- - -GITHUB_CLIENT_ID="" -GITHUB_CLIENT_SECRET="" - -# ---------------------------------------------------------- -# Google OAuth -# ---------------------------------------------------------- - -GOOGLE_CLIENT_ID="" -GOOGLE_CLIENT_SECRET="" - -# ---------------------------------------------------------- -# OpenAI -# ---------------------------------------------------------- - -OPENAI_API_KEY="" - -# ---------------------------------------------------------- -# Gemini -# ---------------------------------------------------------- - -GEMINI_API_KEY="" - -# ---------------------------------------------------------- -# Cloudinary -# ---------------------------------------------------------- - -CLOUDINARY_CLOUD_NAME="" -CLOUDINARY_API_KEY="" -CLOUDINARY_API_SECRET="" - -# ---------------------------------------------------------- -# AWS -# ---------------------------------------------------------- - -AWS_ACCESS_KEY_ID="" -AWS_SECRET_ACCESS_KEY="" -AWS_BUCKET_NAME="" -AWS_REGION="" - -# ---------------------------------------------------------- -# Logging -# ---------------------------------------------------------- - -LOG_LEVEL="INFO" - -# ---------------------------------------------------------- -# Rate Limiting -# ---------------------------------------------------------- - -DEFAULT_RATE_LIMIT="100/minute" -LOGIN_RATE_LIMIT="5/minute" -REGISTER_RATE_LIMIT="3/minute" - -# ---------------------------------------------------------- -# Security Headers -# ---------------------------------------------------------- - -ENABLE_HSTS=true -ENABLE_CSP=true -ENABLE_X_FRAME_OPTIONS=true -ENABLE_X_CONTENT_TYPE_OPTIONS=true - -# ---------------------------------------------------------- -# Celery -# ---------------------------------------------------------- - -CELERY_BROKER_URL="redis://localhost:6379/1" -CELERY_RESULT_BACKEND="redis://localhost:6379/2" - -# ---------------------------------------------------------- -# WebSocket -# ---------------------------------------------------------- - -WEBSOCKET_HEARTBEAT=30 - -# ---------------------------------------------------------- -# File Uploads -# ---------------------------------------------------------- - -MAX_UPLOAD_SIZE_MB=10 -ALLOWED_IMAGE_TYPES=image/png,image/jpeg,image/webp - -# ---------------------------------------------------------- -# Feature Flags -# ---------------------------------------------------------- - -ENABLE_EMAIL_VERIFICATION=true -ENABLE_GOOGLE_LOGIN=true -ENABLE_GITHUB_LOGIN=true -ENABLE_AI_ASSISTANT=true -ENABLE_NOTIFICATIONS=true -ENABLE_CHAT=true -ENABLE_BUILDER_FLARE=true -ENABLE_PROJECTS=true -ENABLE_APPLICATIONS=true \ No newline at end of file diff --git a/backend/.env.example b/backend/.env.example index e81dff0b..9393fc86 100644 --- a/backend/.env.example +++ b/backend/.env.example @@ -1,3 +1,59 @@ +# DevLink Backend Environment Example +# Copy this file to backend/.env and fill in secret values locally. + +APP_NAME="DevLink API" +APP_VERSION="1.0.0" +ENVIRONMENT="development" +DEBUG=true + +HOST="0.0.0.0" +PORT=8000 + +# Security +SECRET_KEY="replace-with-a-strong-random-secret-at-least-32-characters" +JWT_ALGORITHM="HS256" + +ACCESS_TOKEN_EXPIRE_MINUTES=30 +REFRESH_TOKEN_EXPIRE_DAYS=7 +PASSWORD_HASH_SCHEME="bcrypt" + +# Database - these will be consumed by docker-compose variable substitution +POSTGRES_DB=devlink +POSTGRES_USER=postgres +POSTGRES_PASSWORD=replace-with-db-password + +DATABASE_URL="postgresql+psycopg://postgres:${POSTGRES_PASSWORD}@localhost:5432/${POSTGRES_DB}" + +# Redis +REDIS_URL="redis://localhost:6379/0" + +# CORS +ALLOWED_ORIGINS=http://localhost:5173,http://localhost:5174,http://localhost:3000 + +# Email +SMTP_HOST="smtp.example.com" +SMTP_PORT=587 +SMTP_USERNAME="" +SMTP_PASSWORD="" +EMAIL_FROM="noreply@devlink.app" + +# OAuth +GITHUB_CLIENT_ID="" +GITHUB_CLIENT_SECRET="" +GOOGLE_CLIENT_ID="" +GOOGLE_CLIENT_SECRET="" + +# AI +OPENAI_API_KEY="" +GEMINI_API_KEY="" + +# Cloudinary / AWS +CLOUDINARY_CLOUD_NAME="" +CLOUDINARY_API_KEY="" +CLOUDINARY_API_SECRET="" +AWS_ACCESS_KEY_ID="" +AWS_SECRET_ACCESS_KEY="" +AWS_BUCKET_NAME="" # ========================================================== # DevLink Backend Environment Configuration # ========================================================== diff --git a/backend/docker-compose.yml b/backend/docker-compose.yml index b73849c1..f05c7210 100644 --- a/backend/docker-compose.yml +++ b/backend/docker-compose.yml @@ -13,9 +13,9 @@ services: restart: unless-stopped environment: - POSTGRES_DB: devlink - POSTGRES_USER: postgres - POSTGRES_PASSWORD: devlink123 + POSTGRES_DB: ${POSTGRES_DB:-devlink} + POSTGRES_USER: ${POSTGRES_USER:-postgres} + POSTGRES_PASSWORD: ${POSTGRES_PASSWORD} ports: - "5432:5432" From 3a08766615e20c7f57a30a468d4115960c2aa069 Mon Sep 17 00:00:00 2001 From: way2nafea Date: Mon, 6 Jul 2026 20:32:01 +0530 Subject: [PATCH 2/2] fix: update frontend package-lock.json --- frontend/package-lock.json | 54 +++++++++----------------------------- 1 file changed, 12 insertions(+), 42 deletions(-) diff --git a/frontend/package-lock.json b/frontend/package-lock.json index ef4e8328..5b0d56c9 100644 --- a/frontend/package-lock.json +++ b/frontend/package-lock.json @@ -2299,9 +2299,6 @@ "cpu": [ "arm64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -2318,9 +2315,6 @@ "cpu": [ "arm64" ], - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -2337,9 +2331,6 @@ "cpu": [ "ppc64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -2356,9 +2347,6 @@ "cpu": [ "s390x" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -2375,9 +2363,6 @@ "cpu": [ "x64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -2394,9 +2379,6 @@ "cpu": [ "x64" ], - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -2619,9 +2601,6 @@ "cpu": [ "arm64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -2638,9 +2617,6 @@ "cpu": [ "arm64" ], - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -2657,9 +2633,6 @@ "cpu": [ "x64" ], - "libc": [ - "glibc" - ], "license": "MIT", "optional": true, "os": [ @@ -2676,9 +2649,6 @@ "cpu": [ "x64" ], - "libc": [ - "musl" - ], "license": "MIT", "optional": true, "os": [ @@ -5519,9 +5489,6 @@ "cpu": [ "arm64" ], - "libc": [ - "glibc" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -5542,9 +5509,6 @@ "cpu": [ "arm64" ], - "libc": [ - "musl" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -5565,9 +5529,6 @@ "cpu": [ "x64" ], - "libc": [ - "glibc" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -5588,9 +5549,6 @@ "cpu": [ "x64" ], - "libc": [ - "musl" - ], "license": "MPL-2.0", "optional": true, "os": [ @@ -6522,6 +6480,18 @@ } } }, + "node_modules/nitro/node_modules/lru-cache": { + "version": "11.5.1", + "resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.5.1.tgz", + "integrity": "sha512-RPimw/7aMdv2oqRrxKwvZXcPfwBrn/JZ2xYcY9Hus/6LaS3VOAKVWKWgNLCFSiOm1ESXinjsDlidVU7JlnCN2A==", + "dev": true, + "license": "BlueOak-1.0.0", + "optional": true, + "peer": true, + "engines": { + "node": "20 || >=22" + } + }, "node_modules/nitro/node_modules/unstorage": { "version": "2.0.0-alpha.7", "resolved": "https://registry.npmjs.org/unstorage/-/unstorage-2.0.0-alpha.7.tgz",