Merge pull request #346 from Pseudo-Lab/fix/getcloser-security-config

Fix/getcloser security config

Author: soohyunme

.github/workflows/deploy-getcloser.yml

@@ -47,6 +47,8 @@ jobs:
           echo "TEAM_SIZE=${{ vars.TEAM_SIZE}}" >> .env
           echo "PENDING_TIMEOUT_MINUTES=${{ vars.PENDING_TIMEOUT_MINUTES}}" >> .env
           echo "DATA_DIR_HOST=${{ vars.DATA_DIR_HOST }}" >> .env
+          echo "SECRET_KEY=${{ secrets.SECRET_KEY }}" >> .env
+          echo "ENVIRONMENT=prod" >> .env
 
       - name: 🚀 Deploy to PROD
         run: |

.github/workflows/devfactory-homepage.yml

@@ -32,6 +32,7 @@ jobs:
           cat > .env <<'EOF'
           APP_HOST=${{ vars.APP_HOST }}
           DATABASE_URL=${{ secrets.DATABASE_URL }}
+          ACCESS_LOGGING_IP_SALT=${{ secrets.ACCESS_LOGGING_IP_SALT }}
           EOF
 
       - name: Build & up (prod)

cert/backend/.env.example

@@ -0,0 +1,5 @@
+# LOG_LEVEL=INFO
+# ENVIRONMENT=dev
+
+# CORS Origins (쉼표로 구분)
+CORS_ORIGINS=https://cert.pseudo-lab.com,https://dev-cert.pseudolab-devfactory.com,http://localhost:5173

cert/backend/src/main.py

@@ -40,11 +40,23 @@ def configure_logging() -> None:
 # Access log middleware
 app.middleware("http")(access_log_middleware)
 
-# CORS 미들웨어 설정
-origins = os.getenv("CORS_ORIGINS", "").split(",")
+# CORS configuration
+# Load allowed origins from CORS_ORIGINS environment variable (comma-separated)
+cors_origins_str = os.getenv("CORS_ORIGINS", "")
+if cors_origins_str:
+    origins = [origin.strip() for origin in cors_origins_str.split(",") if origin.strip()]
+else:
+    # Default origins for local development and known production/dev domains
+    origins = [
+        "http://localhost:3000",
+        "http://localhost:5173",
+        "https://cert.pseudo-lab.com",
+        "https://dev-cert.pseudolab-devfactory.com",
+    ]
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],
+    allow_origins=origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],

getcloser/backend/.env.example

@@ -0,0 +1,7 @@
+# DATABASE_URL=postgresql+psycopg2://user:password@db:5432/app_db
+
+# 보안을 위해 무작위 문자열을 생성하여 설정하세요.
+# 예: openssl rand -hex 32
+SECRET_KEY=your-super-secret-key-here
+
+# ACCESS_TOKEN_EXPIRE_MINUTES=60

getcloser/backend/app/core/config.py

@@ -1,12 +1,29 @@
 import os
+from pydantic import field_validator
 from pydantic_settings import BaseSettings
 
 class Settings(BaseSettings):
+    ENVIRONMENT: str = os.getenv("ENVIRONMENT", "dev")
     DATABASE_URL: str = os.getenv("DATABASE_URL", "postgresql+psycopg2://user:password@db:5432/app_db")
+    
     """
     JWT 안쓸 것 같아 일단 주석 처리하고 추후 확정 시 삭제
     """
-    SECRET_KEY: str = os.getenv("SECRET_KEY", "change-me-in-prod")
+    # Secret key for JWT signing. Must be overridden in production using environment variables.
+    DEFAULT_SECRET_KEY = "default-secret-key-change-it"
+    SECRET_KEY: str = os.getenv("SECRET_KEY", DEFAULT_SECRET_KEY)
+    
+    @field_validator("SECRET_KEY")
+    @classmethod
+    def check_secret_key(cls, v, info):
+        """
+        Validate that SECRET_KEY is not using the default placeholder value in production.
+        """
+        env = os.getenv("ENVIRONMENT", "dev").lower()
+        if env in ["prod", "production"] and v == cls.DEFAULT_SECRET_KEY:
+            raise ValueError("SECRET_KEY must be a unique, non-default value in production environments.")
+        return v
+        
     ALGORITHM: str = "HS256"
     ACCESS_TOKEN_EXPIRE_MINUTES: int = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "60"))
 

platform/.env.example

@@ -3,3 +3,6 @@ APP_HOST=your-domain.com
 
 # Database Setting
 DATABASE_URL=postgresql://user:pass@devfactory-postgres:5432/dbname
+
+# Logging Setting
+ACCESS_LOGGING_IP_SALT=your-secret-salt-here

platform/docker-compose.yml

@@ -35,6 +35,7 @@ services:
     restart: unless-stopped
     environment:
       - DATABASE_URL=${DATABASE_URL}
+      - ACCESS_LOGGING_IP_SALT=${ACCESS_LOGGING_IP_SALT}
       - PORT=3000
     networks:
       - traefik

platform/server/src/index.js

@@ -1,5 +1,6 @@
 require('dotenv').config();
 const express = require('express');
+const crypto = require('crypto');
 const { Pool } = require('pg');
 const cors = require('cors');
 
@@ -25,6 +26,35 @@ pool.query('SELECT NOW()', (err, res) => {
 });
 
 // API Routes
+
+/**
+ * Extracts the client IP address from request headers or connection info.
+ */
+function getClientIp(req) {
+    // Check X-Forwarded-For header (common for reverse proxies)
+    const forwardedFor = req.headers['x-forwarded-for'];
+    if (forwardedFor) {
+        // Can be a comma-separated list; the first one is the original client
+        return forwardedFor.split(',')[0].trim();
+    }
+
+    // Check X-Real-IP header
+    const realIp = req.headers['x-real-ip'];
+    if (realIp) {
+        return realIp;
+    }
+
+    // Fallback to Express req.ip or socket address
+    return req.ip || req.socket.remoteAddress;
+}
+
+/**
+ * Hashes the IP address with a salt, matching the behavior in the cert system.
+ */
+function hashIp(ip, salt = '') {
+    if (!ip) return null;
+    return crypto.createHash('sha256').update(salt + ip).digest('hex');
+}
 app.get('/api/health', (req, res) => {
     res.json({ status: 'ok' });
 });
@@ -33,12 +63,15 @@ app.get('/api/health', (req, res) => {
 app.post('/api/stats/visit', async (req, res) => {
     try {
         const { path, userAgent } = req.body;
-        // 기존 로그 포맷에 맞춰 method는 'PAGEVIEW'로, referrer는 현재 호스트로 기록
         const referrer = req.headers.referer || '';
 
+        // Extract client IP and generate hash
+        const clientIp = getClientIp(req);
+        const ipHash = hashIp(clientIp, process.env.ACCESS_LOGGING_IP_SALT || '');
+
         await pool.query(
-            'INSERT INTO logging.access_log (path, method, status, user_agent, referrer, ts) VALUES ($1, $2, $3, $4, $5, NOW())',
-            [path || '/', 'PAGEVIEW', 200, userAgent, referrer]
+            'INSERT INTO logging.access_log (path, method, status, ip_hash, user_agent, referrer, ts) VALUES ($1, $2, $3, $4, $5, $6, NOW())',
+            [path || '/', 'PAGEVIEW', 200, ipHash, userAgent, referrer]
         );
         res.status(201).json({ message: 'Visit logged successfully' });
     } catch (err) {