azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
49e89c150b7d56c9ec447eeef558ba1f4b71ea19
claudetools/projects/msp-tools/guru-connect/server/.env.example
Mike Swanson cb6054317a Phase 1 Week 1 Day 1-2: Critical Security Fixes Complete 
SEC-1: JWT Secret Security [COMPLETE]
- Removed hardcoded JWT secret from source code
- Made JWT_SECRET environment variable mandatory
- Added minimum 32-character validation
- Generated strong random secret in .env.example

SEC-2: Rate Limiting [DEFERRED]
- Created rate limiting middleware
- Blocked by tower_governor type incompatibility with Axum 0.7
- Documented in SEC2_RATE_LIMITING_TODO.md

SEC-3: SQL Injection Audit [COMPLETE]
- Verified all queries use parameterized binding
- NO VULNERABILITIES FOUND
- Documented in SEC3_SQL_INJECTION_AUDIT.md

SEC-4: Agent Connection Validation [COMPLETE]
- Added IP address extraction and logging
- Implemented 5 failed connection event types
- Added API key strength validation (32+ chars)
- Complete security audit trail

SEC-5: Session Takeover Prevention [COMPLETE]
- Implemented token blacklist system
- Added JWT revocation check in authentication
- Created 5 logout/revocation endpoints
- Integrated blacklist middleware

Files Created: 14 (utils, auth, api, middleware, docs)
Files Modified: 15 (main.rs, auth/mod.rs, relay/mod.rs, etc.)
Security Improvements: 5 critical vulnerabilities fixed
Compilation: SUCCESS
Testing: Required before production deployment

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
2026-01-17 18:48:22 -07:00

34 lines
1.1 KiB
Plaintext
Raw Blame History

# GuruConnect Server Configuration
# REQUIRED: JWT Secret for authentication token signing
# Generate a new secret with: openssl rand -base64 64
# CRITICAL: Change this before deploying to production!
JWT_SECRET=KfPrjjC3J6YMx9q1yjPxZAYkHLM2JdFy1XRxHJ9oPnw0NU3xH074ufHk7fj++e8BJEqRQ5k4zlWD+1iDwlLP4w==
# JWT token expiration in hours (default: 24)
JWT_EXPIRY_HOURS=24
# Database connection URL (PostgreSQL)
# Format: postgresql://username:password@host:port/database
DATABASE_URL=postgresql://guruconnect:password@172.16.3.30:5432/guruconnect
# Maximum database connections in pool
DATABASE_MAX_CONNECTIONS=10
# Server listen address and port
LISTEN_ADDR=0.0.0.0:3002
# Optional: API key for persistent agents
# If set, persistent agents must provide this key to connect
AGENT_API_KEY=
# Debug mode (enables verbose logging)
DEBUG=false
# SECURITY NOTES:
# 1. NEVER commit the actual .env file to git
# 2. Rotate JWT_SECRET regularly (every 90 days recommended)
# 3. Use a unique AGENT_API_KEY per deployment
# 4. Keep DATABASE_URL credentials secure
# 5. Set restrictive file permissions: chmod 600 .env
Reference in New Issue View Git Blame Copy Permalink