Security Guidelines

Authentication & Authorization

Firebase Authentication

ChainAlign uses Firebase Authentication for user management and JWT-based authentication.

For Development & Testing

Generating Test Tokens:

# Generate a test token for a specific user
node scripts/generateTestToken.mjs <uid> <email> <displayName>

# Example:
node scripts/generateTestToken.mjs test-user-123 test@example.com "Test User"

Important Notes:

• Test tokens expire quickly (typically within 1 hour)
• NEVER commit hardcoded tokens to Git
• Use environment variables for any long-lived tokens
• Always remove test tokens from code before committing

Backend API Token (Service-to-Service)

For internal backend service communication (e.g., AIManager calling internal APIs), use the BACKEND_API_TOKEN environment variable:

1. Generate a token using the script above for a service account user
2. Add to .env (NOT .env.example):

   BACKEND_API_TOKEN=your_generated_token_here

3. Use in code:

   const backendApiToken = process.env.BACKEND_API_TOKEN;
   if (!backendApiToken) {
     console.error('BACKEND_API_TOKEN environment variable is not set');
     return null;
   }

Token Rotation

When to rotate tokens:

• After any suspected security breach
• If a token is accidentally committed to version control
• On a regular schedule (recommended: every 90 days for service accounts)

How to rotate:

1. Generate a new token:

   node scripts/generateTestToken.mjs <service-account-uid> <email> <name>

2. Update the token in all environments:

   • Development: Update .env locally
   • Staging: Update environment variables in staging deployment
   • Production: Update environment variables in production deployment

3. If a token was exposed in Git history:

   # Revoke the exposed token immediately via Firebase Console
   # - Go to Firebase Console > Authentication > Users
   # - Find the user/service account
   # - Disable the account or delete and recreate it
   
   # Then generate and deploy a new token
   node scripts/generateTestToken.mjs <new-uid> <email> <name>

4. Verify the new token works in all environments before removing the old one

Git Pre-Commit Hook

A pre-commit hook is installed at .git/hooks/pre-commit to automatically detect hardcoded secrets before commits.

What it detects:

• JWT tokens (Firebase, Auth0, etc.)
• Bearer tokens in Authorization headers
• API keys and secrets
• AWS access keys
• Private keys (RSA, OpenSSH, etc.)

Hook output:

Success:

🔍 Scanning for hardcoded secrets...
✅ No hardcoded secrets detected

Blocked commit:

🔍 Scanning for hardcoded secrets...
✗ Hardcoded Bearer token found in: backend/src/services/AIManager.js
  Pattern: Authorization: Bearer eyJ...

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
❌ COMMIT BLOCKED: Hardcoded secrets detected!
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Please:
  1. Remove hardcoded secrets from the files above
  2. Use environment variables instead (see .env.example)
  3. For test tokens, use scripts/generateTestToken.mjs

Bypassing the hook (NOT RECOMMENDED):

git commit --no-verify

Only bypass if:

• You're committing example/documentation files
• You're certain there are no real secrets (false positive)

Installing the hook on a new clone:

The hook is located at .git/hooks/pre-commit but is not tracked by Git (.git directory is never committed). To set it up on a new machine:

# The hook file should be maintained in the repository
# Copy from a team member or recreate using the pattern above
chmod +x .git/hooks/pre-commit

Environment Variables

Required Variables

See .env.example for a complete list. Key security-related variables:

# Firebase Configuration
GOOGLE_APPLICATION_CREDENTIALS=/path/to/firebase-admin-sdk-key.json

# API Keys (never commit actual values)
GEMINI_API_KEY=your_gemini_api_key_here
TYPESENSE_API_KEY=your_typesense_api_key_here

# Backend Service Token
BACKEND_API_TOKEN=your_backend_api_token_here

# Database Credentials
DB_USER=your_db_user
DB_PASSWORD=your_db_password
DB_NAME=your_db_name

Best Practices

1. Never commit .env files - They're in .gitignore for a reason
2. Use strong, unique values for production
3. Rotate secrets regularly (every 90 days minimum)
4. Use different credentials for dev/staging/production
5. Store production secrets in a secure vault (AWS Secrets Manager, GCP Secret Manager, etc.)

Reporting Security Issues

If you discover a security vulnerability:

1. DO NOT open a public GitHub issue
2. Email the security team directly at: [pramod.opspilot@gmail.com]
3. Include:
   • Description of the vulnerability
   • Steps to reproduce
   • Potential impact
   • Suggested fix (if any)

Additional Security Measures

Database Security

• All database connections use SSL in production
• Tenant isolation via UUID-based filtering
• Row-level security policies (where applicable)

API Security

• JWT authentication on all API routes (except public endpoints)
• CORS configuration restricts allowed origins
• Rate limiting on sensitive endpoints (recommended: implement if not present)

Dependency Security

# Audit npm dependencies regularly
npm audit

# Fix vulnerabilities
npm audit fix

# For breaking changes, review manually
npm audit fix --force

Docker Security

• Base images are regularly updated
• No secrets in Dockerfiles or docker-compose.yml
• Use Docker secrets for production deployments

Compliance

ChainAlign handles sensitive business data (forecasts, demand plans, financial data). Ensure:

• Data encryption at rest and in transit
• Regular security audits
• Access controls and audit logging
• Compliance with relevant regulations (GDPR, SOC 2, etc.)