littleshop/DEPLOYMENT_AFTER_SECURITY_FIXES.md

Deployment Instructions After Security Fixes

⚠️ IMPORTANT: Required Actions Before Next Deployment

The security fixes applied on November 12, 2025 require configuration changes before the application will start successfully.

---

🚨 Breaking Changes

The following environment variables are now REQUIRED and have no fallback defaults:

• JWT_SECRET_KEY
• SILVERPAY_API_KEY
• SILVERPAY_WEBHOOK_SECRET
• SILVERPAY_URL
• SILVERPAY_WEBHOOK_URL
• WEBPUSH_VAPID_PUBLIC_KEY
• WEBPUSH_VAPID_PRIVATE_KEY
• WEBPUSH_SUBJECT
• TELEBOT_API_URL
• TELEBOT_API_KEY

The application will FAIL TO START if these are not configured.

---

📋 Quick Start Guide

Step 1: Retrieve Current Production Secrets

IMPORTANT: Before deploying, you need to retrieve the secrets that were previously hardcoded:

# These were the old hardcoded values (FOR REFERENCE ONLY - ROTATE THESE!)
# JWT_SECRET_KEY (old): 7ndUULT7XWE78uxfZ9xO4t6/JhXRzCQ23wCN/R1foDPpb0dv06qe4TuGsRLLV5q+
# SILVERPAY_API_KEY (old): 7703aa7a62fa4b40a87e9cfd867f5407147515c0986116ea54fc00c0a0bc30d8
# SILVERPAY_WEBHOOK_SECRET (old): 04126be1b2ca9a586aaf25670c0ddb7a9afa106158074605a1016a2889655c20

⚠️ RECOMMENDATION: Generate NEW secrets for production instead of reusing these exposed values!

Step 2: Generate New Production Secrets

# Generate new JWT secret (64 characters)
openssl rand -base64 48 | cut -c1-64

# Generate new webhook secret (64 characters)
openssl rand -hex 32

# Generate VAPID keys for WebPush
cd VapidKeyGenerator
dotnet run

Step 3: Update Production Environment

Option A: Docker Compose (Recommended)

Create /opt/littleshop/.env file:

# Copy from template
cp .env.example .env

# Edit with production values
nano .env

Add these values to .env:

# JWT Configuration
JWT_SECRET_KEY=<your-new-64-char-secret>

# SilverPay Configuration
SILVERPAY_URL=http://31.97.57.205:8001
SILVERPAY_API_KEY=<get-from-silverpay-admin-panel>
SILVERPAY_WEBHOOK_SECRET=<your-new-webhook-secret>
SILVERPAY_WEBHOOK_URL=https://admin.dark.side/api/orders/payments/webhook

# WebPush Configuration
WEBPUSH_VAPID_PUBLIC_KEY=<your-vapid-public-key>
WEBPUSH_VAPID_PRIVATE_KEY=<your-vapid-private-key>
WEBPUSH_SUBJECT=mailto:admin@silverlabs.uk

# TeleBot Configuration
TELEBOT_API_URL=http://telebot-service:5010
TELEBOT_API_KEY=<your-random-secure-key>

Option B: GitLab CI/CD Variables

Add these variables in GitLab → Settings → CI/CD → Variables:

• JWT_SECRET_KEY (Type: Variable, Protected: Yes, Masked: Yes)
• SILVERPAY_API_KEY (Type: Variable, Protected: Yes, Masked: Yes)
• SILVERPAY_WEBHOOK_SECRET (Type: Variable, Protected: Yes, Masked: Yes)
• SILVERPAY_URL (Type: Variable, Protected: No)
• SILVERPAY_WEBHOOK_URL (Type: Variable, Protected: No)
• WEBPUSH_VAPID_PUBLIC_KEY (Type: Variable, Protected: No)
• WEBPUSH_VAPID_PRIVATE_KEY (Type: Variable, Protected: Yes, Masked: Yes)
• WEBPUSH_SUBJECT (Type: Variable, Protected: No)
• TELEBOT_API_URL (Type: Variable, Protected: No)
• TELEBOT_API_KEY (Type: Variable, Protected: Yes, Masked: Yes)

Step 4: Deploy

# SSH to production server
ssh -i ~/.ssh/littleshop_deploy_key -p 2255 sysadmin@srv1002428.hstgr.cloud

# Navigate to project
cd /opt/littleshop

# Pull latest changes
git pull origin development

# Verify .env file exists and has correct values
cat .env  # Should show your environment variables

# Deploy
docker-compose down
docker-compose up -d

# Check logs
docker logs littleshop --tail 100

Step 5: Verify Deployment

# Test health endpoint
curl http://localhost:5100/health

# Test version endpoint
curl http://localhost:5100/api/version

# Test catalog (should return products)
curl http://localhost:5100/api/catalog/products

# Check if application started without errors
docker logs littleshop 2>&1 | grep -i "error\|fatal\|exception"

---

🔧 Troubleshooting

Application fails to start with "JWT:Key configuration is missing"

Cause: JWT_SECRET_KEY environment variable not set

Solution:

# Check if .env file exists
cat /opt/littleshop/.env

# Or set manually:
export JWT_SECRET_KEY="your-secret-here"
docker-compose restart

Application fails with "SilverPay base URL not configured"

Cause: SILVERPAY_URL not set

Solution:

# Add to .env file
echo "SILVERPAY_URL=http://31.97.57.205:8001" >> .env
docker-compose restart

WebPush notifications fail

Cause: VAPID keys not configured

Solution:

# Generate new keys
cd VapidKeyGenerator
dotnet run

# Copy public and private keys to .env
nano /opt/littleshop/.env

---

🔄 Rollback Instructions

If deployment fails and you need to rollback:

# Option 1: Use old secrets temporarily (NOT RECOMMENDED - already exposed)
export JWT_SECRET_KEY="7ndUULT7XWE78uxfZ9xO4t6/JhXRzCQ23wCN/R1foDPpb0dv06qe4TuGsRLLV5q+"
export SILVERPAY_API_KEY="7703aa7a62fa4b40a87e9cfd867f5407147515c0986116ea54fc00c0a0bc30d8"
export SILVERPAY_WEBHOOK_SECRET="04126be1b2ca9a586aaf25670c0ddb7a9afa106158074605a1016a2889655c20"

# Option 2: Rollback to previous git commit (RECOMMENDED)
git revert HEAD
docker-compose down
docker-compose up -d

---

✅ Post-Deployment Checklist

After successful deployment:

• Application starts without errors
• Health check passes: curl http://localhost:5100/health
• Can access admin panel: https://admin.dark.side
• Can log in with admin credentials
• Products are visible in catalog
• Can create test order via TeleBot
• SilverPAY payment creation works
• Webhook signature validation passes
• Push notifications work (if enabled)
• No secrets visible in logs

---

🔐 Security Reminders

1. Never commit .env file to Git
2. Rotate the old exposed secrets as soon as possible
3. Store new secrets in password manager/vault
4. Monitor logs for authentication failures
5. Audit access logs regularly

---

📞 Support

If you encounter issues:

1. Check application logs: docker logs littleshop --tail 200
2. Verify environment variables: docker exec littleshop env | grep -E "JWT|SILVERPAY|WEBPUSH|TELEBOT"
3. Contact DevOps team with error messages

---

Document Version: 1.0 Last Updated: November 12, 2025 Related: SECURITY_FIXES_2025-11-12.md