SilverLABS/littleshop
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
86f19ba044
littleshop/DEPLOYMENT_AFTER_SECURITY_FIXES.md
sysadmin a07a3a54ea Fix SilverPay payment integration JSON serialization 
- Changed JSON naming policy from CamelCase to SnakeCaseLower for SilverPay API compatibility
- Fixed field name from 'fiat_amount' to 'amount' in request body
- Used unique payment ID instead of order ID to avoid duplicate external_id conflicts
- Modified SilverPayApiResponse to handle string amounts from API
- Added [JsonIgnore] attributes to computed properties to prevent JSON serialization conflicts
- Fixed test compilation errors (mock service and enum casting issues)
- Updated SilverPay endpoint to http://10.0.0.52:8001/

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-11-13 14:12:35 +00:00

250 lines
6.3 KiB
Markdown
Raw Blame History

# Deployment Instructions After Security Fixes
## ⚠️ IMPORTANT: Required Actions Before Next Deployment
The security fixes applied on November 12, 2025 **require configuration changes** before the application will start successfully.
---
## 🚨 Breaking Changes
The following environment variables are now **REQUIRED** and have no fallback defaults:
- `JWT_SECRET_KEY`
- `SILVERPAY_API_KEY`
- `SILVERPAY_WEBHOOK_SECRET`
- `SILVERPAY_URL`
- `SILVERPAY_WEBHOOK_URL`
- `WEBPUSH_VAPID_PUBLIC_KEY`
- `WEBPUSH_VAPID_PRIVATE_KEY`
- `WEBPUSH_SUBJECT`
- `TELEBOT_API_URL`
- `TELEBOT_API_KEY`
**The application will FAIL TO START if these are not configured.**
---
## 📋 Quick Start Guide
### Step 1: Retrieve Current Production Secrets
**IMPORTANT**: Before deploying, you need to retrieve the secrets that were previously hardcoded:
```bash
# These were the old hardcoded values (FOR REFERENCE ONLY - ROTATE THESE!)
# JWT_SECRET_KEY (old): 7ndUULT7XWE78uxfZ9xO4t6/JhXRzCQ23wCN/R1foDPpb0dv06qe4TuGsRLLV5q+
# SILVERPAY_API_KEY (old): 7703aa7a62fa4b40a87e9cfd867f5407147515c0986116ea54fc00c0a0bc30d8
# SILVERPAY_WEBHOOK_SECRET (old): 04126be1b2ca9a586aaf25670c0ddb7a9afa106158074605a1016a2889655c20
```
**⚠️ RECOMMENDATION**: Generate NEW secrets for production instead of reusing these exposed values!
### Step 2: Generate New Production Secrets
```bash
# Generate new JWT secret (64 characters)
openssl rand -base64 48 | cut -c1-64
# Generate new webhook secret (64 characters)
openssl rand -hex 32
# Generate VAPID keys for WebPush
cd VapidKeyGenerator
dotnet run
```
### Step 3: Update Production Environment
**Option A: Docker Compose (Recommended)**
Create `/opt/littleshop/.env` file:
```bash
# Copy from template
cp .env.example .env
# Edit with production values
nano .env
```
Add these values to `.env`:
```bash
# JWT Configuration
JWT_SECRET_KEY=<your-new-64-char-secret>
# SilverPay Configuration
SILVERPAY_URL=http://31.97.57.205:8001
SILVERPAY_API_KEY=<get-from-silverpay-admin-panel>
SILVERPAY_WEBHOOK_SECRET=<your-new-webhook-secret>
SILVERPAY_WEBHOOK_URL=https://admin.dark.side/api/orders/payments/webhook
# WebPush Configuration
WEBPUSH_VAPID_PUBLIC_KEY=<your-vapid-public-key>
WEBPUSH_VAPID_PRIVATE_KEY=<your-vapid-private-key>
WEBPUSH_SUBJECT=mailto:admin@silverlabs.uk
# TeleBot Configuration
TELEBOT_API_URL=http://telebot-service:5010
TELEBOT_API_KEY=<your-random-secure-key>
```
**Option B: GitLab CI/CD Variables**
Add these variables in GitLab → Settings → CI/CD → Variables:
- `JWT_SECRET_KEY` (Type: Variable, Protected: Yes, Masked: Yes)
- `SILVERPAY_API_KEY` (Type: Variable, Protected: Yes, Masked: Yes)
- `SILVERPAY_WEBHOOK_SECRET` (Type: Variable, Protected: Yes, Masked: Yes)
- `SILVERPAY_URL` (Type: Variable, Protected: No)
- `SILVERPAY_WEBHOOK_URL` (Type: Variable, Protected: No)
- `WEBPUSH_VAPID_PUBLIC_KEY` (Type: Variable, Protected: No)
- `WEBPUSH_VAPID_PRIVATE_KEY` (Type: Variable, Protected: Yes, Masked: Yes)
- `WEBPUSH_SUBJECT` (Type: Variable, Protected: No)
- `TELEBOT_API_URL` (Type: Variable, Protected: No)
- `TELEBOT_API_KEY` (Type: Variable, Protected: Yes, Masked: Yes)
### Step 4: Deploy
```bash
# SSH to production server
ssh -i ~/.ssh/littleshop_deploy_key -p 2255 sysadmin@srv1002428.hstgr.cloud
# Navigate to project
cd /opt/littleshop
# Pull latest changes
git pull origin development
# Verify .env file exists and has correct values
cat .env # Should show your environment variables
# Deploy
docker-compose down
docker-compose up -d
# Check logs
docker logs littleshop --tail 100
```
### Step 5: Verify Deployment
```bash
# Test health endpoint
curl http://localhost:5100/health
# Test version endpoint
curl http://localhost:5100/api/version
# Test catalog (should return products)
curl http://localhost:5100/api/catalog/products
# Check if application started without errors
docker logs littleshop 2>&1 | grep -i "error\|fatal\|exception"
```
---
## 🔧 Troubleshooting
### Application fails to start with "JWT:Key configuration is missing"
**Cause**: `JWT_SECRET_KEY` environment variable not set
**Solution**:
```bash
# Check if .env file exists
cat /opt/littleshop/.env
# Or set manually:
export JWT_SECRET_KEY="your-secret-here"
docker-compose restart
```
### Application fails with "SilverPay base URL not configured"
**Cause**: `SILVERPAY_URL` not set
**Solution**:
```bash
# Add to .env file
echo "SILVERPAY_URL=http://31.97.57.205:8001" >> .env
docker-compose restart
```
### WebPush notifications fail
**Cause**: VAPID keys not configured
**Solution**:
```bash
# Generate new keys
cd VapidKeyGenerator
dotnet run
# Copy public and private keys to .env
nano /opt/littleshop/.env
```
---
## 🔄 Rollback Instructions
If deployment fails and you need to rollback:
```bash
# Option 1: Use old secrets temporarily (NOT RECOMMENDED - already exposed)
export JWT_SECRET_KEY="7ndUULT7XWE78uxfZ9xO4t6/JhXRzCQ23wCN/R1foDPpb0dv06qe4TuGsRLLV5q+"
export SILVERPAY_API_KEY="7703aa7a62fa4b40a87e9cfd867f5407147515c0986116ea54fc00c0a0bc30d8"
export SILVERPAY_WEBHOOK_SECRET="04126be1b2ca9a586aaf25670c0ddb7a9afa106158074605a1016a2889655c20"
# Option 2: Rollback to previous git commit (RECOMMENDED)
git revert HEAD
docker-compose down
docker-compose up -d
```
---
## ✅ Post-Deployment Checklist
After successful deployment:
- [ ] Application starts without errors
- [ ] Health check passes: `curl http://localhost:5100/health`
- [ ] Can access admin panel: `https://admin.dark.side`
- [ ] Can log in with admin credentials
- [ ] Products are visible in catalog
- [ ] Can create test order via TeleBot
- [ ] SilverPAY payment creation works
- [ ] Webhook signature validation passes
- [ ] Push notifications work (if enabled)
- [ ] No secrets visible in logs
---
## 🔐 Security Reminders
1. **Never** commit `.env` file to Git
2. **Rotate** the old exposed secrets as soon as possible
3. **Store** new secrets in password manager/vault
4. **Monitor** logs for authentication failures
5. **Audit** access logs regularly
---
## 📞 Support
If you encounter issues:
1. Check application logs: `docker logs littleshop --tail 200`
2. Verify environment variables: `docker exec littleshop env | grep -E "JWT|SILVERPAY|WEBPUSH|TELEBOT"`
3. Contact DevOps team with error messages
---
**Document Version**: 1.0
**Last Updated**: November 12, 2025
**Related**: SECURITY_FIXES_2025-11-12.md
Reference in New Issue View Git Blame Copy Permalink