AeThex-Corporation/AeThex-OS
1
0
Fork 0
mirror of https://github.com/AeThex-Corporation/AeThex-OS.git synced 2026-04-17 22:27:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
AeThex-OS/docs/CREDENTIALS_ROTATION.md
MrPiglr 773cc74c33 Add OAuth 2.0 implementation with secure credential handling 
- Implement server-side OAuth handlers for Discord, Roblox, GitHub
- Add OAuth routes with state validation and PKCE support
- Create comprehensive documentation (setup, rotation, quickstart)
- Add .env to .gitignore to protect credentials
2025-12-24 04:15:25 +00:00

357 lines
9.4 KiB
Markdown
Raw Permalink Blame History

# Credentials Rotation Guide
## 🚨 Security Incident Response
**If credentials are compromised (e.g., accidentally committed to git or shared publicly), follow this guide IMMEDIATELY.**
---
## 🔄 Rotation Priority Order
### 🔴 CRITICAL (Rotate Immediately)
1. **Discord Bot Token** - Full bot control
2. **Stripe Secret Key** - Payment processing access
3. **GitHub Personal Access Token** - Repository access
### 🟡 HIGH (Rotate Before Production)
4. **Discord Client Secret** - OAuth access
5. **Roblox Client Secret** - OAuth access
6. **Roblox Open Cloud API Key** - API access
7. **Stripe Webhook Secret** - Webhook validation
### 🟢 MEDIUM (Rotate When Convenient)
8. **Discord Public Key** - Webhook signature verification
9. **GitHub Client ID/Secret** - OAuth (once registered)
---
## 🎮 Discord Credentials Rotation
### 1. Bot Token
**Why:** Full control over bot actions, can read/send messages, access servers
1. Go to [Discord Developer Portal](https://discord.com/developers/applications)
2. Select your application
3. Navigate to **Bot** section
4. Click **Reset Token**
5. Copy new token to `.env`:
```bash
DISCORD_BOT_TOKEN=NEW_TOKEN_HERE
```
6. Restart your application
### 2. Client Secret
**Why:** Used for OAuth token exchange
1. In Discord Developer Portal, go to **OAuth2** section
2. Click **Reset Secret**
3. Copy new secret to `.env`:
```bash
DISCORD_CLIENT_SECRET=NEW_SECRET_HERE
```
4. Restart your application
### 3. Public Key
**Why:** Used to verify webhook signatures (less critical but good practice)
1. In **General Information** section
2. Click **Regenerate** next to Public Key
3. Update `.env`:
```bash
DISCORD_PUBLIC_KEY=NEW_KEY_HERE
```
---
## 🎲 Roblox Credentials Rotation
### 1. Client Secret
**Why:** Used for OAuth token exchange
1. Go to [Roblox Creator Dashboard](https://create.roblox.com/dashboard/credentials)
2. Find your OAuth 2.0 credential
3. Click **Regenerate Secret**
4. Copy new secret to `.env`:
```bash
ROBLOX_CLIENT_SECRET=NEW_SECRET_HERE
```
5. Restart your application
### 2. Open Cloud API Key
**Why:** Server-to-server API access
1. In Creator Dashboard, go to **API Keys**
2. Find the compromised key
3. Click **Delete** to revoke it
4. Create new API key with same permissions
5. Copy to `.env`:
```bash
ROBLOX_OPEN_CLOUD_API_KEY=NEW_KEY_HERE
```
6. Restart your application
**Note:** Old API key stops working immediately upon deletion.
---
## 🐙 GitHub Credentials Rotation
### 1. Personal Access Token
**Why:** Repository and API access
1. Go to [GitHub Personal Access Tokens](https://github.com/settings/tokens)
2. Find the compromised token
3. Click **Delete** to revoke it
4. Generate new token:
- Click **Generate new token (classic)**
- Select same scopes as before
- Set expiration (recommend 90 days)
5. Copy to `.env`:
```bash
GITHUB_PERSONAL_ACCESS_TOKEN=NEW_TOKEN_HERE
```
6. Restart your application
**Note:** Old token stops working immediately upon deletion.
### 2. OAuth Client Secret
**When you register OAuth app:**
1. Go to [GitHub Developer Settings](https://github.com/settings/developers)
2. Select your OAuth app
3. Click **Generate a new client secret**
4. Copy to `.env`:
```bash
GITHUB_CLIENT_SECRET=NEW_SECRET_HERE
```
---
## 💳 Stripe Credentials Rotation
### 1. Secret Key
**Why:** Full payment processing access - HIGHEST RISK
1. Go to [Stripe Dashboard](https://dashboard.stripe.com/apikeys)
2. Click **Reveal test key** or **Reveal live key**
3. Click **Roll secret key**
4. Confirm the rollover
5. Copy new key to `.env`:
```bash
STRIPE_SECRET_KEY=NEW_KEY_HERE
```
6. **Deploy immediately** - old key has grace period
**⚠️ Important:**
- Old key works for 24-48 hours (grace period)
- Deploy new key ASAP to avoid disruption
- Test payments after deployment
### 2. Webhook Secret
**Why:** Validates webhook authenticity
1. Go to **Developers****Webhooks**
2. Click your webhook endpoint
3. Click **Roll secret**
4. Copy new secret to `.env`:
```bash
STRIPE_WEBHOOK_SECRET=NEW_SECRET_HERE
```
5. Restart your application
**Note:** Old webhooks will fail signature validation immediately.
---
## 🔐 Supabase Credentials (If Needed)
### Anon Key
**Lower risk** - designed to be public, but rotation doesn't hurt
1. Go to [Supabase Dashboard](https://supabase.com/dashboard/project/_/settings/api)
2. Navigate to **Settings****API**
3. Click **Generate new anon key** (if available)
4. Update `.env`:
```bash
SUPABASE_ANON_KEY=NEW_KEY_HERE
VITE_SUPABASE_ANON_KEY=NEW_KEY_HERE
```
### Service Role Key
**CRITICAL** - full database access
1. In Supabase Dashboard, go to **Settings****API**
2. Click **Rotate service_role key**
3. Update server-side env (never expose to client)
4. Restart all server instances
---
## ✅ Post-Rotation Checklist
After rotating credentials:
### 1. Environment Variables
- [ ] Updated `.env` file with all new credentials
- [ ] Verified no typos in new keys
- [ ] Confirmed `.env` is in `.gitignore`
- [ ] Deleted old `.env` backups
### 2. Application Deployment
- [ ] Restarted local development server
- [ ] Tested OAuth flows with new credentials
- [ ] Verified webhook signatures validate
- [ ] Tested API calls work correctly
### 3. Production Deployment (When Ready)
- [ ] Updated production environment variables
- [ ] Deployed application with zero downtime
- [ ] Monitored logs for authentication errors
- [ ] Verified no legacy credential usage
### 4. Documentation
- [ ] Updated internal team docs with new setup
- [ ] Documented rotation date in security log
- [ ] Set calendar reminder for next rotation (90 days)
### 5. Access Control
- [ ] Removed compromised credentials from all locations:
- [ ] Chat logs (can't delete, but rotate makes them useless)
- [ ] Clipboard history
- [ ] Shell history (`history -c`)
- [ ] Git reflog (if accidentally committed)
---
## 🗓️ Rotation Schedule
### Recommended Rotation Frequency
| Credential | Frequency | Priority |
|------------|-----------|----------|
| Stripe Secret Key | Every 90 days | 🔴 Critical |
| Bot Tokens | Every 90 days | 🔴 Critical |
| Personal Access Tokens | Every 90 days | 🟡 High |
| OAuth Client Secrets | Every 180 days | 🟡 High |
| API Keys | Every 180 days | 🟡 High |
| Webhook Secrets | Every 180 days | 🟢 Medium |
| Public Keys | Annually | 🟢 Medium |
### Set Reminders
```bash
# Add to calendar or use cron job:
0 0 1 */3 * * echo "Rotate Stripe/Discord credentials" | mail admin@aethex.app
```
---
## 🚨 Git History Cleanup (If Committed)
**If credentials were accidentally committed to git:**
### Option 1: BFG Repo-Cleaner (Recommended)
```bash
# Install BFG
brew install bfg # or download from https://rtyley.github.io/bfg-repo-cleaner/
# Clone a fresh copy
git clone --mirror https://github.com/AeThex-Corporation/AeThex-OS.git
# Remove .env files from history
bfg --delete-files .env AeThex-OS.git
# Clean up
cd AeThex-OS.git
git reflog expire --expire=now --all
git gc --prune=now --aggressive
# Force push (⚠️ DESTRUCTIVE)
git push --force
```
### Option 2: git-filter-repo
```bash
# Install git-filter-repo
pip install git-filter-repo
# Remove .env from history
git filter-repo --path .env --invert-paths
# Force push
git push origin --force --all
```
**⚠️ Warning:** Force pushing rewrites history. Coordinate with team!
---
## 📞 Emergency Contacts
If credentials are actively being abused:
### Discord
- **Report abuse:** https://dis.gd/report
- **Developer support:** https://discord.com/developers/docs
### Stripe
- **Emergency contact:** https://support.stripe.com/
- **Phone support:** Available for paid plans
### GitHub
- **Security incidents:** security@github.com
- **Support:** https://support.github.com/
### Roblox
- **Security:** security@roblox.com
- **Support:** https://www.roblox.com/support
---
## 🧪 Testing After Rotation
Run these commands to verify new credentials work:
```bash
# Test Discord OAuth
curl "https://discord.com/api/oauth2/authorize?client_id=${DISCORD_CLIENT_ID}&redirect_uri=http://localhost:5000/api/oauth/callback/discord&response_type=code&scope=identify"
# Test Stripe API
curl https://api.stripe.com/v1/balance \
-u ${STRIPE_SECRET_KEY}:
# Test GitHub API
curl -H "Authorization: token ${GITHUB_PERSONAL_ACCESS_TOKEN}" \
https://api.github.com/user
# Test Roblox Open Cloud
curl -H "x-api-key: ${ROBLOX_OPEN_CLOUD_API_KEY}" \
https://apis.roblox.com/cloud/v2/users/${USER_ID}
```
---
## 📝 Security Best Practices
### Prevention
1. **Never commit credentials** - Use `.env` and add to `.gitignore`
2. **Use environment-specific credentials** - Separate dev/staging/prod
3. **Rotate proactively** - Don't wait for incidents
4. **Monitor usage** - Watch API logs for suspicious activity
5. **Least privilege** - Grant minimum permissions needed
### Detection
1. **Enable webhook alerts** - Get notified of unusual API usage
2. **Monitor git commits** - Use pre-commit hooks to scan for secrets
3. **Audit logs** - Review provider dashboards regularly
4. **Automated scanning** - Use tools like `git-secrets` or `trufflehog`
### Response
1. **Have this document ready** - Don't scramble during incidents
2. **Test rotation process** - Practice on dev environment first
3. **Document incidents** - Learn from mistakes
4. **Automate where possible** - Use secret management tools
---
**Last Updated:** December 24, 2025
**Next Review:** March 24, 2026
Reference in a new issue View git blame Copy permalink