Address security concerns raised by #1086 #1469
Description
Overview
We have exposed secrets in our codebase that anyone can find and use to mess with our db and/or grab user data. We can fix this by updating the secrets and switching a few config objects to use process.env instead of hardcoded values. This is being addressed on the ts.use_jwt_in_config branch.
Action Items
- Switch config files to use secrets instead of hardcoded values
⚠️ We are here - Update the secrets to new secrets
- Crisis avoided
What we've done so far
- ✅ Change backend/config.auth.config.js to use process.env
- ✅ Build dev.vrms.io and confirm the site works
- ✅ Change frontend/globalSettings to use process.env
- ❌ Build dev.vrms.io and confim the site works
- Site broke, explore why site broke
- We think it's becasue there isn't a REACT_APP_CUSTOM_REQUEST_HEADER secret being provided to the frontend
- Site broke, explore why site broke
- Explore how secrets are provided to the frontend in the build process
- Explore how secrets are provided to the backend in the build process
We think that the environment secrets page at hackforla/VMRS is where the secrets are heldNeither @jbubar or me @spiteless have access to this panel.- Josh and Trillium now have access to the AWS to poke around
@bonniewolfe Can, you either look for us or provide one/both of us access to this panel so we can verify- Are they provided from the hackforla/VRMS github secrets page?
- Are they provided directly in AWS somehow
- Are they provided some other way
- Build dev.vrms.io and confim the site works
- Update the secrets in all the environment variables for production
- Update the secrets in the Google Drive so later devs have the right information