Move Sensitive Environment Variables to a Secret Management Service

[cjackett]

Issue Description

The current implementation in the pages/api/_services.ts file relies heavily on environment variables to manage sensitive credentials such as API keys, JWT secrets, and database connection strings. Storing sensitive information in environment variables poses several security risks, including potential exposure through logs, stack traces, or misconfigured environments. These credentials can be accidentally exposed during debugging or logging, and environment variables do not offer fine-grained access control, leading to possible unauthorized access. Additionally, secrets stored in environment variables are challenging to rotate, which increases the risk if they are compromised.

Sensitive environment variables currently in use include:

• MAILGUN_API_KEY: API key for Mailgun transactional emails.
• MAILGUN_DOMAIN: URL for Mailgun transactional emails.
• PUSHER_KEY: API key for Pusher real-time updates.
• PUSHER_SECRET: Secret key for Pusher.
• PUSHOVER_APP_TOKEN: API token for Pushover admin notifications.
• PUSHOVER_USER_KEY: User key for Pushover.
• SUPABASE_ADMIN_KEY: Admin key for Supabase database.
• SUPABASE_JWT_SECRET: JWT secret for Supabase authentication.
• SUPABASE_DB_URL: Database URL for Supabase.
• FIREBASE_CLIENT_EMAIL: Client email for Firebase service account.
• FIREBASE_PRIVATE_KEY: Private key for Firebase service account.
• FIREBASE_PROJECT_ID: Project ID for Firebase.
• JWT_SECRET: Secret key used for JWT token signing (especially critical in production).

These credentials are important for the security and functionality of the application and should be managed securely rather than stored in plaintext within environment variables, particularly in production environments.

Mitigation

1. Move Sensitive Environment Variables to a Secret Management Service:

   • Use a secure, dedicated secret management service such as:
     • AWS Secrets Manager
     • Google Cloud Secret Manager
     • HashiCorp Vault
   • These services offer enhanced security through encryption, access control, and automated secret rotation.

2. Update pages/api/_services.ts to Fetch Secrets Securely:

   • Refactor the code to fetch secrets directly from the secret management service rather than relying on environment variables.

3. Local Development:

   • For local development, set up an equivalent secret storage system to replicate production. Securely store sensitive variables and ensure they are not committed to version control, maintaining consistency and security across environments.

[arianabuilds]

Entry Summary for HACK SIV @ DEF CON 2024

Thanks again for participating! This submission earned $0.00 from SIV and $$52.14 from the Public Vote, for a total of $52.14.

Here's what we noted in our evaluation:

What's interesting about this submission

• Protecting server secrets is of course important

What takes away from it

• Unclear how beneficial this really is
• Introduces new third-party trust, who would have access to all the keys
• Production server already doesn't use plaintext files for secrets

Issue to track getting paid: https://github.com/siv-org/hack.siv.org/issues/10