# Deployment Instructions After Security Fixes ## ⚠️ IMPORTANT: Required Actions Before Next Deployment The security fixes applied on November 12, 2025 **require configuration changes** before the application will start successfully. --- ## 🚨 Breaking Changes The following environment variables are now **REQUIRED** and have no fallback defaults: - `JWT_SECRET_KEY` - `SILVERPAY_API_KEY` - `SILVERPAY_WEBHOOK_SECRET` - `SILVERPAY_URL` - `SILVERPAY_WEBHOOK_URL` - `WEBPUSH_VAPID_PUBLIC_KEY` - `WEBPUSH_VAPID_PRIVATE_KEY` - `WEBPUSH_SUBJECT` - `TELEBOT_API_URL` - `TELEBOT_API_KEY` **The application will FAIL TO START if these are not configured.** --- ## 📋 Quick Start Guide ### Step 1: Retrieve Current Production Secrets **IMPORTANT**: Before deploying, you need to retrieve the secrets that were previously hardcoded: ```bash # These were the old hardcoded values (FOR REFERENCE ONLY - ROTATE THESE!) # JWT_SECRET_KEY (old): 7ndUULT7XWE78uxfZ9xO4t6/JhXRzCQ23wCN/R1foDPpb0dv06qe4TuGsRLLV5q+ # SILVERPAY_API_KEY (old): 7703aa7a62fa4b40a87e9cfd867f5407147515c0986116ea54fc00c0a0bc30d8 # SILVERPAY_WEBHOOK_SECRET (old): 04126be1b2ca9a586aaf25670c0ddb7a9afa106158074605a1016a2889655c20 ``` **⚠️ RECOMMENDATION**: Generate NEW secrets for production instead of reusing these exposed values! ### Step 2: Generate New Production Secrets ```bash # Generate new JWT secret (64 characters) openssl rand -base64 48 | cut -c1-64 # Generate new webhook secret (64 characters) openssl rand -hex 32 # Generate VAPID keys for WebPush cd VapidKeyGenerator dotnet run ``` ### Step 3: Update Production Environment **Option A: Docker Compose (Recommended)** Create `/opt/littleshop/.env` file: ```bash # Copy from template cp .env.example .env # Edit with production values nano .env ``` Add these values to `.env`: ```bash # JWT Configuration JWT_SECRET_KEY= # SilverPay Configuration SILVERPAY_URL=http://31.97.57.205:8001 SILVERPAY_API_KEY= SILVERPAY_WEBHOOK_SECRET= SILVERPAY_WEBHOOK_URL=https://admin.dark.side/api/orders/payments/webhook # WebPush Configuration WEBPUSH_VAPID_PUBLIC_KEY= WEBPUSH_VAPID_PRIVATE_KEY= WEBPUSH_SUBJECT=mailto:admin@silverlabs.uk # TeleBot Configuration TELEBOT_API_URL=http://telebot-service:5010 TELEBOT_API_KEY= ``` **Option B: GitLab CI/CD Variables** Add these variables in GitLab → Settings → CI/CD → Variables: - `JWT_SECRET_KEY` (Type: Variable, Protected: Yes, Masked: Yes) - `SILVERPAY_API_KEY` (Type: Variable, Protected: Yes, Masked: Yes) - `SILVERPAY_WEBHOOK_SECRET` (Type: Variable, Protected: Yes, Masked: Yes) - `SILVERPAY_URL` (Type: Variable, Protected: No) - `SILVERPAY_WEBHOOK_URL` (Type: Variable, Protected: No) - `WEBPUSH_VAPID_PUBLIC_KEY` (Type: Variable, Protected: No) - `WEBPUSH_VAPID_PRIVATE_KEY` (Type: Variable, Protected: Yes, Masked: Yes) - `WEBPUSH_SUBJECT` (Type: Variable, Protected: No) - `TELEBOT_API_URL` (Type: Variable, Protected: No) - `TELEBOT_API_KEY` (Type: Variable, Protected: Yes, Masked: Yes) ### Step 4: Deploy ```bash # SSH to production server ssh -i ~/.ssh/littleshop_deploy_key -p 2255 sysadmin@srv1002428.hstgr.cloud # Navigate to project cd /opt/littleshop # Pull latest changes git pull origin development # Verify .env file exists and has correct values cat .env # Should show your environment variables # Deploy docker-compose down docker-compose up -d # Check logs docker logs littleshop --tail 100 ``` ### Step 5: Verify Deployment ```bash # Test health endpoint curl http://localhost:5100/health # Test version endpoint curl http://localhost:5100/api/version # Test catalog (should return products) curl http://localhost:5100/api/catalog/products # Check if application started without errors docker logs littleshop 2>&1 | grep -i "error\|fatal\|exception" ``` --- ## 🔧 Troubleshooting ### Application fails to start with "JWT:Key configuration is missing" **Cause**: `JWT_SECRET_KEY` environment variable not set **Solution**: ```bash # Check if .env file exists cat /opt/littleshop/.env # Or set manually: export JWT_SECRET_KEY="your-secret-here" docker-compose restart ``` ### Application fails with "SilverPay base URL not configured" **Cause**: `SILVERPAY_URL` not set **Solution**: ```bash # Add to .env file echo "SILVERPAY_URL=http://31.97.57.205:8001" >> .env docker-compose restart ``` ### WebPush notifications fail **Cause**: VAPID keys not configured **Solution**: ```bash # Generate new keys cd VapidKeyGenerator dotnet run # Copy public and private keys to .env nano /opt/littleshop/.env ``` --- ## 🔄 Rollback Instructions If deployment fails and you need to rollback: ```bash # Option 1: Use old secrets temporarily (NOT RECOMMENDED - already exposed) export JWT_SECRET_KEY="7ndUULT7XWE78uxfZ9xO4t6/JhXRzCQ23wCN/R1foDPpb0dv06qe4TuGsRLLV5q+" export SILVERPAY_API_KEY="7703aa7a62fa4b40a87e9cfd867f5407147515c0986116ea54fc00c0a0bc30d8" export SILVERPAY_WEBHOOK_SECRET="04126be1b2ca9a586aaf25670c0ddb7a9afa106158074605a1016a2889655c20" # Option 2: Rollback to previous git commit (RECOMMENDED) git revert HEAD docker-compose down docker-compose up -d ``` --- ## ✅ Post-Deployment Checklist After successful deployment: - [ ] Application starts without errors - [ ] Health check passes: `curl http://localhost:5100/health` - [ ] Can access admin panel: `https://admin.dark.side` - [ ] Can log in with admin credentials - [ ] Products are visible in catalog - [ ] Can create test order via TeleBot - [ ] SilverPAY payment creation works - [ ] Webhook signature validation passes - [ ] Push notifications work (if enabled) - [ ] No secrets visible in logs --- ## 🔐 Security Reminders 1. **Never** commit `.env` file to Git 2. **Rotate** the old exposed secrets as soon as possible 3. **Store** new secrets in password manager/vault 4. **Monitor** logs for authentication failures 5. **Audit** access logs regularly --- ## 📞 Support If you encounter issues: 1. Check application logs: `docker logs littleshop --tail 200` 2. Verify environment variables: `docker exec littleshop env | grep -E "JWT|SILVERPAY|WEBPUSH|TELEBOT"` 3. Contact DevOps team with error messages --- **Document Version**: 1.0 **Last Updated**: November 12, 2025 **Related**: SECURITY_FIXES_2025-11-12.md