Closed richard-churchman closed 6 months ago
richard-churchman
commented
6 months ago Write out to file needs to be removed totally and rely only on Environment Variable. Once the Environment Variable is stored in secure string, the Environment Variable should itself be flushed.
richard-churchman
commented
6 months ago For logging purposed a salted SHA256 hash would be helpful. On the subject of salts, update the documentation to require salts ans encryption keys to be passed in the Environment Variable to ensure there is no prospect of leakage.
richard-churchman
commented
6 months ago Removed any code that writes Environment Variables to a local configuration file. The only means to pass configuration to Jube, is now, through Environment Variables.
The PasswordHashingKey Environment Variable is now optional however the JWTKey Environment Variable is mandatory. In the absence of the JWTKey Environment Variable the application with throw a fatal error (also on use of the documentation default value). Given deprecation of the file which mirrored Environment Variables, the PasswordHashingKey is, if available, taken from the DynamicEnvironment for migrations (passed to FluentMigrator using its dependency injection functionality).
Documentation updated in all places that refer to application start to mention the JWTKey Environment Variable being mandatory, while strongly encouraging the use of the PasswordHashingKey Environment Variable.
Removed all code that would have otherwise have written Environment Variables to file (including logs). Updated documentation to remove any mention to Environment Variables being written to file.
See b301e5bb.
Tracking issue for: