From cfb13eb870454a9dfbf9da701219ddea84dd0baf Mon Sep 17 00:00:00 2001 From: nickviljoen Date: Thu, 14 May 2026 23:13:18 +0200 Subject: [PATCH] chore(secrets): untrack env files + add JWT path to .gitignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit backend/config/development.env and backend/config/production.env were committed to the repo with real API keys, SMTP passwords, and Flask SECRET_KEY values. This commit: 1. Adds both files to .gitignore so future edits stop landing in git. 2. git rm --cached's them (local copies preserved on disk, just untracked). 3. Also pre-emptively adds backend/config/box_jwt_config.json to .gitignore — Phase 4 already gitignores it on a separate branch, but listing it here protects the file regardless of merge order. 4. Updates backend/config/.env.template with the new Box JWT-related vars (BOX_JWT_CONFIG_PATH, BOX_WEBHOOK_PRIMARY_KEY, BOX_WEBHOOK_SECONDARY_KEY) so the template is a complete reference for setting up a new environment from scratch. IMPORTANT — secrets still in git history after this commit. Removing them from history requires a destructive rewrite (git filter-repo + force-push every branch). Pragmatic alternative: rotate any secret that was ever in the files. Candidates: OPENAI_API_KEY, BOX_CLIENT_SECRET, SECRET_KEY, SMTP_PASSWORD. AZURE_TENANT_ID and AZURE_CLIENT_ID are public-ish identifiers and don't need rotating. GOOGLE_API_KEY just rotated this session. DEPLOY GOTCHA: deploy.sh does git reset --hard, which will delete the env files from /opt/ai_qc/backend/config/ on the server when this commit lands. Back them up before deploying, restore after: sudo cp /opt/ai_qc/backend/config/development.env /tmp/dev.env.bak # ...deploy... sudo cp /tmp/dev.env.bak /opt/ai_qc/backend/config/development.env sudo systemctl restart ai-qc.service Same dance on prod with production.env when promoting. Co-Authored-By: Claude Opus 4.7 (1M context) --- .gitignore | 3 +++ backend/config/.env.template | 17 ++++++++++++-- backend/config/development.env | 43 ---------------------------------- backend/config/production.env | 42 --------------------------------- 4 files changed, 18 insertions(+), 87 deletions(-) delete mode 100644 backend/config/development.env delete mode 100644 backend/config/production.env diff --git a/.gitignore b/.gitignore index 90ba9d3..d3dd778 100644 --- a/.gitignore +++ b/.gitignore @@ -74,3 +74,6 @@ backend/media_plans/ backend/usage_logs/ backend/user_access.json backend/box_tokens.json +backend/config/development.env +backend/config/production.env +backend/config/box_jwt_config.json diff --git a/backend/config/.env.template b/backend/config/.env.template index 8956307..97b00f2 100644 --- a/backend/config/.env.template +++ b/backend/config/.env.template @@ -36,7 +36,7 @@ SENDER_EMAIL=noreply@your-domain.com ERROR_EMAIL=admin@your-domain.com REPORT_EMAILS=admin@your-domain.com -# Box.com OAuth (per-creator user authentication for automation folders) +# Box.com OAuth (per-creator user authentication — legacy/dormant scaffolding) # Register a Custom App with OAuth 2.0 (User Authentication) in Box Developer Console. # In the app's Configuration tab, add ALL the redirect URIs you'll use: # http://localhost:7183/auth/box/callback (local dev) @@ -46,4 +46,17 @@ REPORT_EMAILS=admin@your-domain.com # to set BOX_REDIRECT_URI per server — uncomment only as an override. BOX_CLIENT_ID=your-box-client-id BOX_CLIENT_SECRET=your-box-client-secret -# BOX_REDIRECT_URI= \ No newline at end of file +# BOX_REDIRECT_URI= + +# Box.com JWT (service-account auth — used by /api/box/webhook for unattended QC) +# Drop the JSON Box gives you for the "Custom App with Server Authentication (JWT)" +# at backend/config/box_jwt_config.json (gitignored, scp'd onto each server). +# Override the path with BOX_JWT_CONFIG_PATH if you store it elsewhere. +# BOX_JWT_CONFIG_PATH=/opt/ai_qc/backend/config/box_jwt_config.json + +# Box V2 webhook signing keys (one app-level pair, used by every webhook the +# Custom App owns). Get them from Box Developer Console → Custom App → Webhooks +# tab → "Manage Signature Keys". Both are valid simultaneously — Box uses a +# rolling-rotate model so you can rotate one at a time without downtime. +BOX_WEBHOOK_PRIMARY_KEY= +BOX_WEBHOOK_SECONDARY_KEY= \ No newline at end of file diff --git a/backend/config/development.env b/backend/config/development.env deleted file mode 100644 index 49053ad..0000000 --- a/backend/config/development.env +++ /dev/null @@ -1,43 +0,0 @@ -# Development Environment Configuration -# This file is used for local development testing - -# OpenAI Configuration -OPENAI_API_KEY=sk-svcacct-HSREzGYDnN-vCVGAh6LhYqlNcJVF2oefMrY9oCsdDsQFmyVJyHpLb1eSb_mp_vP4YPl4T3BlbkFJzKaOrPghIzx76_22K8VjwO6j2JnoDEvrYDrgfrnA4WjD5sTMnhOqGHXximwGXFhUoYgA -GOOGLE_API_KEY=AIzaSyDMWN_PAnyU7bPmtWcEKq4LJfiu1KuwUsU - -# Azure AD / MSAL Authentication Configuration (Development App Registration) -# NOTE: You'll need to create a separate app registration for development -AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385 -AZURE_CLIENT_ID=9079054c-9620-4757-a256-23413042f1ef -AZURE_REDIRECT_URI=http://localhost:7183 - -# Flask Configuration -FLASK_ENV=development -SECRET_KEY=dev-secret-key-change-this-for-security -DEBUG_MODE=true -PORT=7183 - -# Application Configuration -ENVIRONMENT=development -BASE_URL=http://localhost:7183 -UPLOAD_FOLDER=uploads-dev -OUTPUT_FOLDER=output-dev - -# Development-specific settings -LOG_LEVEL=DEBUG -ENABLE_DEBUG_ENDPOINTS=true - -# Mailgun / SMTP (for email notifications) -SMTP_SERVER=smtp.mailgun.org -SMTP_PORT=587 -SMTP_USER=twist@mail.dev.oliver.solutions -SMTP_PASSWORD=102115e9f3b9d7332d0cd1d4329bc0d4-77751bfc-ca066b71 -SENDER_EMAIL=TWIST-UK-SERVER@oliver.agency -ERROR_EMAIL=nick.viljoen@brandtech.plus -REPORT_EMAILS=nick.viljoen@brandtech.plus - -# Box.com OAuth (per-creator user authentication for automation folders) -# Redirect URI is computed from each request — no need to hardcode it per server. -# Set BOX_REDIRECT_URI here only as an override if request-based detection fails. -BOX_CLIENT_ID=o9zxyl6j917q0bkndrwfi2x5zbdeanh5 -BOX_CLIENT_SECRET=yejdbWTeBOcdsDImpNQ7nvLJZad3e0Jm \ No newline at end of file diff --git a/backend/config/production.env b/backend/config/production.env deleted file mode 100644 index dba396a..0000000 --- a/backend/config/production.env +++ /dev/null @@ -1,42 +0,0 @@ -# Production Environment Configuration -# This file is used for production deployment on the web server - -# OpenAI Configuration -OPENAI_API_KEY=sk-svcacct-HSREzGYDnN-vCVGAh6LhYqlNcJVF2oefMrY9oCsdDsQFmyVJyHpLb1eSb_mp_vP4YPl4T3BlbkFJzKaOrPghIzx76_22K8VjwO6j2JnoDEvrYDrgfrnA4WjD5sTMnhOqGHXximwGXFhUoYgA -GOOGLE_API_KEY=AIzaSyDMWN_PAnyU7bPmtWcEKq4LJfiu1KuwUsU - -# Azure AD / MSAL Authentication Configuration (Production) -AZURE_TENANT_ID=e519c2e6-bc6d-4fdf-8d9c-923c2f002385 -AZURE_CLIENT_ID=9079054c-9620-4757-a256-23413042f1ef -AZURE_REDIRECT_URI=https://ai-sandbox.oliver.solutions/ai_qc/ - -# Flask Configuration -FLASK_ENV=production -SECRET_KEY=prod-ai-qc-oliver-solutions-2025-secure-key-9f8e7d6c5b4a3 -DEBUG_MODE=false -PORT=7184 - -# Application Configuration -ENVIRONMENT=production -BASE_URL=https://ai-sandbox.oliver.solutions/ai_qc -UPLOAD_FOLDER=uploads -OUTPUT_FOLDER=output - -# Production-specific settings -LOG_LEVEL=INFO -ENABLE_DEBUG_ENDPOINTS=false - -# Mailgun / SMTP (for email notifications) -SMTP_SERVER=smtp.mailgun.org -SMTP_PORT=587 -SMTP_USER=twist@mail.dev.oliver.solutions -SMTP_PASSWORD=102115e9f3b9d7332d0cd1d4329bc0d4-77751bfc-ca066b71 -SENDER_EMAIL=TWIST-UK-SERVER@oliver.agency -ERROR_EMAIL=nick.viljoen@brandtech.plus -REPORT_EMAILS=nick.viljoen@brandtech.plus - -# Box.com OAuth (per-creator user authentication for automation folders) -# Redirect URI is computed from each request — no need to hardcode it per server. -# Set BOX_REDIRECT_URI here only as an override if request-based detection fails. -BOX_CLIENT_ID=o9zxyl6j917q0bkndrwfi2x5zbdeanh5 -BOX_CLIENT_SECRET=yejdbWTeBOcdsDImpNQ7nvLJZad3e0Jm \ No newline at end of file