Firebase credential rotation (#520)

dkrai04 · claude · web-flow · commit e95fca7af935 · 2025-10-28T22:09:24.000+05:30
* chore: rotate Firebase credentials for security - Add Firebase credential rotation documentation - Add automated rotation scripts (rotate, verify, cleanup) - Update .gitignore to exclude sensitive Firebase key files - New service account: blend-firebase-10281134 Security incident: Firebase credentials were exposed in DEPLOYMENT.md commit history. This rotation addresses the exposure. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * fix: update cloudbuild.yaml with new Firebase credentials and Docker path * fix: update Dockerfile to use pnpm and new Firebase credentials * fix: correct standalone output paths in Dockerfile * docs: document completed Firebase credential rotation * chore: remove credential rotation helper scripts after successful rotation - Removed rotate-credentials.sh (rotation complete) - Removed verify-deployment.sh (verification complete) - Removed cleanup-old-credentials.sh (cleanup complete) - Updated FIREBASE_CREDENTIAL_ROTATION.md with final status - Keep only documentation for future reference * chore(security): implement comprehensive credential security improvements Priority 1: Remove Hardcoded Credentials - Update .gitignore to explicitly exclude .env.local and .env.production - Add patterns for firebase-*.json and credentials*.json - Create .env.example template with placeholder values and setup instructions - Remove hardcoded database password from .env files (use Secret Manager) - Remove hardcoded Firebase private key from .env files (use Secret Manager) Priority 2: Update Firebase References - Updated .env.local and .env.production with new Firebase App ID - Updated to new service account: blend-firebase-10281134 - Added instructions for fetching secrets from Secret Manager Priority 3: Dockerfile Security - Replace hardcoded ENV values with ARG build arguments - Update cloudbuild.yaml to pass Firebase config as build arguments - Enable flexible configuration without hardcoding in Dockerfile Security Improvements: - Database password now comes from Secret Manager (not hardcoded) - Firebase private key now comes from Secret Manager (not hardcoded) - .env files are properly excluded from git tracking - Template file (.env.example) provided for local development setup - Build-time configuration uses arguments for flexibility 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * chore: remove Firebase credential rotation documentation - Removed FIREBASE_CREDENTIAL_ROTATION.md after successful rotation - All security improvements are complete and verified - Credentials successfully rotated and tested in production 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * docs: add local setup guide for blend-monitor - Add LOCAL_SETUP.md with step-by-step instructions - Add cloud_sql_proxy to .gitignore to prevent binary commits - Include troubleshooting section for common issues 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Co-authored-by: Claude <noreply@anthropic.com>
diff --git a/.gcloudignore b/.gcloudignore
@@ -0,0 +1,31 @@
+# Exclude node_modules and build artifacts
+node_modules/
+**/node_modules/
+.next/
+**/.next/
+dist/
+**/dist/
+.turbo/
+**/.turbo/
+storybook-static/
+
+# Exclude git and IDE files
+.git/
+.vscode/
+.idea/
+
+# Exclude other apps source (but keep package.json for dependencies)
+apps/ascent/app/**
+apps/ascent/public/**
+apps/site/src/**
+apps/site/public/**
+apps/storybook/stories/**
+apps/storybook/.storybook/**
+
+# Exclude test and documentation files
+**/*.test.ts
+**/*.test.tsx
+**/*.spec.ts
+**/*.spec.tsx
+**/README.md
+**/.DS_Store
diff --git a/.gitignore b/.gitignore
@@ -41,13 +41,20 @@ next-env.d.ts
 !.env.example
 !.env.template
 .env.local
+.env.production
 .env.development.local
 .env.test.local
 .env.production.local
 .env.staging
 .env.dev
 .env.prod
 
+# Sensitive credentials (extra safety)
+**/.env.local
+**/.env.production
+**/firebase-*.json
+**/credentials*.json
+
 # OS files
 .DS_Store
 .DS_Store?
@@ -155,6 +162,12 @@ coverage/
 # Firebase
 .firebase/
 .firebaserc.local
+firebase-*-key*.json
+firebase-*-private-key.txt
+
+# Cloud SQL Proxy binary
+**/cloud_sql_proxy
+cloud_sql_proxy
 
 # Build outputs
 dist/
diff --git a/apps/blend-monitor/.env.example b/apps/blend-monitor/.env.example
@@ -0,0 +1,78 @@
+# ===================================
+# Blend Monitor - Environment Variables Template
+# ===================================
+# Copy this file to .env.local for local development
+# Replace placeholder values with actual credentials
+# NEVER commit .env.local or .env.production to git!
+# ===================================
+
+# ===================================
+# Firebase Client Configuration (Public - Safe to expose in frontend)
+# ===================================
+NEXT_PUBLIC_FIREBASE_API_KEY=your-firebase-api-key-here
+NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=your-project-id.firebaseapp.com
+NEXT_PUBLIC_FIREBASE_PROJECT_ID=your-project-id
+NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET=your-project-id.firebasestorage.app
+NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID=your-sender-id
+NEXT_PUBLIC_FIREBASE_APP_ID=1:your-sender-id:web:your-app-id
+NEXT_PUBLIC_FIREBASE_DATABASE_URL=https://your-project-id-default-rtdb.region.firebasedatabase.app
+
+# ===================================
+# Firebase Admin Configuration (Private - Server-side only)
+# ===================================
+FIREBASE_PROJECT_ID=your-project-id
+FIREBASE_DATABASE_URL=https://your-project-id-default-rtdb.region.firebasedatabase.app
+FIREBASE_CLIENT_EMAIL=your-service-account@your-project-id.iam.gserviceaccount.com
+# FIREBASE_PRIVATE_KEY should come from Secret Manager in production
+# For local development, use Cloud SQL Proxy and Secret Manager
+# DO NOT hardcode the private key here!
+
+# ===================================
+# Database Configuration (Local Development via Cloud SQL Proxy)
+# ===================================
+DATABASE_HOST=localhost
+DATABASE_PORT=5433
+DATABASE_NAME=blend_monitor
+DATABASE_USER=admin
+# DATABASE_PASSWORD should come from Secret Manager
+# For local development:
+# 1. Start Cloud SQL Proxy: ./cloud_sql_proxy -instances=PROJECT:REGION:INSTANCE=tcp:5433
+# 2. Set password from Secret Manager: gcloud secrets versions access latest --secret="blend-monitor-db-password"
+# DO NOT hardcode the password here!
+
+# Database URL (constructed from above values)
+# DATABASE_URL=postgresql://admin:PASSWORD_FROM_SECRET_MANAGER@localhost:5433/blend_monitor
+
+# ===================================
+# Application Settings
+# ===================================
+NODE_ENV=development
+
+# ===================================
+# Production Configuration
+# ===================================
+# In production (Cloud Run), these are set via:
+# - Environment variables in cloudbuild.yaml
+# - Secrets from Secret Manager
+# - Cloud SQL Unix socket connection
+#
+# DO NOT use .env files in production!
+# All sensitive values MUST come from Secret Manager
+#
+# Production secrets:
+# - DATABASE_PASSWORD → blend-monitor-db-password (Secret Manager)
+# - FIREBASE_PRIVATE_KEY → blend-monitor-firebase-key (Secret Manager)
+# ===================================
+
+# ===================================
+# Local Development Setup Instructions
+# ===================================
+# 1. Copy this file: cp .env.example .env.local
+# 2. Get Firebase config from Firebase Console
+# 3. Set up Cloud SQL Proxy for database access
+# 4. Get database password from Secret Manager:
+#    gcloud secrets versions access latest --secret="blend-monitor-db-password" --project=PROJECT_ID
+# 5. Get Firebase private key from Secret Manager:
+#    gcloud secrets versions access latest --secret="blend-monitor-firebase-key" --project=PROJECT_ID
+# 6. Update .env.local with actual values
+# ===================================
diff --git a/apps/blend-monitor/Dockerfile b/apps/blend-monitor/Dockerfile
@@ -1,32 +1,49 @@
 # Build stage
 FROM node:20-alpine AS builder
 
-# Install dependencies for native modules
+# Install dependencies for native modules and pnpm
 RUN apk add --no-cache libc6-compat
+RUN corepack enable && corepack prepare pnpm@latest --activate
 
 WORKDIR /app
 
-# Copy package file
+# Copy monorepo files
+COPY pnpm-workspace.yaml ./
+COPY pnpm-lock.yaml ./
 COPY package.json ./
-
-# Install dependencies (without lock file since it's in the monorepo root)
-RUN npm install
-
-# Copy source files
-COPY . .
-
-# Set build-time environment variables (actual values for build)
-ENV NEXT_PUBLIC_FIREBASE_API_KEY="AIzaSyD2aRkOI4iCwiZOW5kEejrL9jv9JvytKpo"
-ENV NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN="storybook-452807.firebaseapp.com"
-ENV NEXT_PUBLIC_FIREBASE_PROJECT_ID="storybook-452807"
-ENV NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET="storybook-452807.firebasestorage.app"
-ENV NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID="567047894553"
-ENV NEXT_PUBLIC_FIREBASE_APP_ID="1:567047894553:web:1cd999e1c9bf9b81ff5c88"
-ENV NEXT_PUBLIC_FIREBASE_DATABASE_URL="https://storybook-452807-default-rtdb.asia-southeast1.firebasedatabase.app"
+COPY turbo.json ./
+
+# Copy blend-monitor app
+COPY apps/blend-monitor ./apps/blend-monitor
+
+# Copy shared packages if needed
+COPY packages ./packages
+
+# Install dependencies
+RUN pnpm install --frozen-lockfile
+
+# Build arguments for Firebase configuration
+ARG NEXT_PUBLIC_FIREBASE_API_KEY
+ARG NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN
+ARG NEXT_PUBLIC_FIREBASE_PROJECT_ID
+ARG NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET
+ARG NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID
+ARG NEXT_PUBLIC_FIREBASE_APP_ID
+ARG NEXT_PUBLIC_FIREBASE_DATABASE_URL
+
+# Set build-time environment variables from build arguments
+ENV NEXT_PUBLIC_FIREBASE_API_KEY=${NEXT_PUBLIC_FIREBASE_API_KEY}
+ENV NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=${NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN}
+ENV NEXT_PUBLIC_FIREBASE_PROJECT_ID=${NEXT_PUBLIC_FIREBASE_PROJECT_ID}
+ENV NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET=${NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET}
+ENV NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID=${NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID}
+ENV NEXT_PUBLIC_FIREBASE_APP_ID=${NEXT_PUBLIC_FIREBASE_APP_ID}
+ENV NEXT_PUBLIC_FIREBASE_DATABASE_URL=${NEXT_PUBLIC_FIREBASE_DATABASE_URL}
 
 # Build the application
 ENV NEXT_TELEMETRY_DISABLED 1
-RUN npm run build
+WORKDIR /app/apps/blend-monitor
+RUN pnpm run build
 
 # Production stage
 FROM node:20-alpine AS runner
@@ -41,18 +58,16 @@ RUN addgroup --system --gid 1001 nodejs
 RUN adduser --system --uid 1001 nextjs
 
 # Copy necessary files from builder
-COPY --from=builder /app/public ./public
-COPY --from=builder /app/.next/standalone ./
-COPY --from=builder /app/.next/static ./.next/static
-
-# Set correct permissions
-RUN chown -R nextjs:nodejs /app
+COPY --from=builder --chown=nextjs:nodejs /app/apps/blend-monitor/.next/standalone ./
+COPY --from=builder --chown=nextjs:nodejs /app/apps/blend-monitor/.next/static ./apps/blend-monitor/.next/static
+COPY --from=builder --chown=nextjs:nodejs /app/apps/blend-monitor/public ./apps/blend-monitor/public
 
 USER nextjs
 
 # Expose port
 EXPOSE 8080
 ENV PORT 8080
+ENV HOSTNAME="0.0.0.0"
 
 # Start the application
-CMD ["node", "server.js"]
+CMD ["node", "apps/blend-monitor/server.js"]
diff --git a/apps/blend-monitor/LOCAL_SETUP.md b/apps/blend-monitor/LOCAL_SETUP.md
@@ -0,0 +1,90 @@
+# Blend Monitor - Local Setup Guide
+
+Quick guide to run blend-monitor locally on your machine.
+
+## Prerequisites
+
+- Node.js 18+
+- pnpm installed
+- GCP CLI authenticated with `storybook-452807` project
+
+## Setup Steps
+
+### 1. Download Cloud SQL Proxy
+
+```bash
+cd apps/blend-monitor
+curl -o cloud_sql_proxy https://dl.google.com/cloudsql/cloud_sql_proxy.darwin.amd64
+chmod +x cloud_sql_proxy
+```
+
+### 2. Configure Environment Variables
+
+Copy the example file:
+
+```bash
+cp .env.example .env.local
+```
+
+Fetch secrets from GCP Secret Manager:
+
+```bash
+# Get database password
+gcloud secrets versions access latest --secret="blend-monitor-db-password" --project=storybook-452807
+
+# Get Firebase private key
+gcloud secrets versions access latest --secret="blend-monitor-firebase-key" --project=storybook-452807
+```
+
+Add the secrets to `.env.local`:
+
+- `DATABASE_PASSWORD=<paste the database password>`
+- `FIREBASE_PRIVATE_KEY=<paste the private key>`
+
+### 3. Start Cloud SQL Proxy
+
+```bash
+./cloud_sql_proxy -instances=storybook-452807:us-central1:blend-dashboard=tcp:5433 &
+```
+
+### 4. Run Development Server
+
+From the monorepo root:
+
+```bash
+pnpm --filter blend-monitor dev
+```
+
+Or from the blend-monitor directory:
+
+```bash
+pnpm dev
+```
+
+### 5. Access the App
+
+Open http://localhost:3000 in your browser.
+
+## Stopping the App
+
+Kill the dev server (Ctrl+C) and stop the Cloud SQL proxy:
+
+```bash
+pkill -f cloud_sql_proxy
+```
+
+## Troubleshooting
+
+**Port already in use?**
+
+- Kill the process: `lsof -ti:3000 | xargs kill -9`
+
+**Database connection failed?**
+
+- Ensure Cloud SQL proxy is running: `ps aux | grep cloud_sql_proxy`
+- Check proxy logs for connection errors
+
+**Firebase authentication failed?**
+
+- Verify `FIREBASE_PRIVATE_KEY` is properly formatted in `.env.local`
+- Ensure the private key includes `\n` for newlines in the string
diff --git a/apps/blend-monitor/cloudbuild.yaml b/apps/blend-monitor/cloudbuild.yaml
@@ -1,12 +1,28 @@
 steps:
-    # Build the container image
+    # Build the container image with build arguments
     - name: 'gcr.io/cloud-builders/docker'
       args:
           - 'build'
           - '-t'
           - 'gcr.io/$PROJECT_ID/blend-monitor:$BUILD_ID'
           - '-t'
           - 'gcr.io/$PROJECT_ID/blend-monitor:latest'
+          - '-f'
+          - 'apps/blend-monitor/Dockerfile'
+          - '--build-arg'
+          - 'NEXT_PUBLIC_FIREBASE_API_KEY=$_FIREBASE_API_KEY'
+          - '--build-arg'
+          - 'NEXT_PUBLIC_FIREBASE_AUTH_DOMAIN=$_FIREBASE_AUTH_DOMAIN'
+          - '--build-arg'
+          - 'NEXT_PUBLIC_FIREBASE_PROJECT_ID=$_FIREBASE_PROJECT_ID'
+          - '--build-arg'
+          - 'NEXT_PUBLIC_FIREBASE_STORAGE_BUCKET=$_FIREBASE_STORAGE_BUCKET'
+          - '--build-arg'
+          - 'NEXT_PUBLIC_FIREBASE_MESSAGING_SENDER_ID=$_FIREBASE_MESSAGING_SENDER_ID'
+          - '--build-arg'
+          - 'NEXT_PUBLIC_FIREBASE_APP_ID=$_FIREBASE_APP_ID'
+          - '--build-arg'
+          - 'NEXT_PUBLIC_FIREBASE_DATABASE_URL=$_FIREBASE_DATABASE_URL'
           - '.'
 
     # Push the container image to Container Registry
@@ -59,9 +75,9 @@ substitutions:
     _FIREBASE_PROJECT_ID: 'storybook-452807'
     _FIREBASE_STORAGE_BUCKET: 'storybook-452807.firebasestorage.app'
     _FIREBASE_MESSAGING_SENDER_ID: '567047894553'
-    _FIREBASE_APP_ID: '1:567047894553:web:1cd999e1c9bf9b81ff5c88'
+    _FIREBASE_APP_ID: '1:567047894553:web:f2e38d23fbc9bdbbff5c88'
     _FIREBASE_DATABASE_URL: 'https://storybook-452807-default-rtdb.asia-southeast1.firebasedatabase.app'
-    _FIREBASE_CLIENT_EMAIL: 'firebase-adminsdk-fbsvc@storybook-452807.iam.gserviceaccount.com'
+    _FIREBASE_CLIENT_EMAIL: 'blend-firebase-10281134@storybook-452807.iam.gserviceaccount.com'
 
 options:
     logging: CLOUD_LOGGING_ONLY
