From 35e4cf0da42a294502f28b4868e90ef7fb122ff4 Mon Sep 17 00:00:00 2001 From: czlonkowski <56956555+czlonkowski@users.noreply.github.com> Date: Sun, 6 Jul 2025 17:46:10 +0200 Subject: [PATCH] fix: remove hardcoded credentials and add security documentation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Remove hardcoded API key and URL from debug-n8n-auth.ts - Require environment variables with proper validation - Add comprehensive SECURITY.md with best practices - Address security concerns raised in issue #18 The SecureKeyGuard alert was a false positive (mistaking "validate_workflow" for "VAULT_TOKEN"), but the review uncovered actual hardcoded credentials that have now been removed. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- SECURITY.md | 95 +++++++++++++++++++++++++++++++++++ src/scripts/debug-n8n-auth.ts | 10 +++- 2 files changed, 103 insertions(+), 2 deletions(-) create mode 100644 SECURITY.md diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..7cd1510 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,95 @@ +# Security Policy + +## Reporting Security Vulnerabilities + +If you discover a security vulnerability in n8n-mcp, please report it by creating a private security advisory on GitHub or emailing the maintainer directly. Please do not create public issues for security vulnerabilities. + +## Security Best Practices + +### 1. Environment Variables + +**NEVER** commit real API keys, tokens, or credentials to the repository. + +- Use `.env` files for local development (already in `.gitignore`) +- Use `.env.example` as a template with placeholder values +- Generate strong tokens using: `openssl rand -base64 32` + +### 2. API Keys and Tokens + +- **Rotate credentials immediately** if they are exposed +- Use environment variables exclusively - no hardcoded fallbacks +- Implement proper token expiration when possible +- Use least-privilege access for API keys + +### 3. Code Security + +#### ❌ DON'T DO THIS: +```typescript +// NEVER hardcode credentials +const apiKey = process.env.N8N_API_KEY || 'n8n_api_actual_key_here'; +const apiUrl = process.env.N8N_API_URL || 'https://production-url.com'; +``` + +#### ✅ DO THIS INSTEAD: +```typescript +// Always require environment variables +const apiKey = process.env.N8N_API_KEY; +const apiUrl = process.env.N8N_API_URL; + +if (!apiKey || !apiUrl) { + console.error('Error: Required environment variables are missing'); + process.exit(1); +} +``` + +### 4. Git Security + +Before committing, always check: +```bash +# Check for tracked sensitive files +git ls-files | grep -E "\.(env|pem|key|cert)$" + +# Check staged changes for secrets +git diff --staged | grep -iE "(api[_-]?key|secret|token|password)" +``` + +### 5. Docker Security + +- Never include `.env` files in Docker images +- Use build arguments for compile-time configuration +- Use runtime environment variables for secrets +- Run containers as non-root users + +### 6. Dependencies + +- Regularly update dependencies: `npm audit` +- Review dependency changes carefully +- Use lock files (`package-lock.json`) +- Monitor for security advisories + +## Security Checklist + +Before each release or deployment: + +- [ ] No hardcoded credentials in source code +- [ ] All sensitive configuration uses environment variables +- [ ] `.env` files are not tracked in git +- [ ] Dependencies are up to date +- [ ] No sensitive data in logs +- [ ] API endpoints use proper authentication +- [ ] Docker images don't contain secrets + +## Known Security Considerations + +1. **MCP Authentication**: When running in HTTP mode, always use strong `AUTH_TOKEN` values +2. **n8n API Access**: The n8n API key provides full access to workflows - protect it carefully +3. **Database Access**: The SQLite database contains node information but no credentials + +## Tools for Security + +- **SecureKeyGuard**: Automated scanning for exposed secrets +- **npm audit**: Check for vulnerable dependencies +- **git-secrets**: Prevent committing secrets to git +- **dotenv-vault**: Secure environment variable management + +Remember: Security is everyone's responsibility. When in doubt, ask for a security review. \ No newline at end of file diff --git a/src/scripts/debug-n8n-auth.ts b/src/scripts/debug-n8n-auth.ts index 546d631..8697508 100644 --- a/src/scripts/debug-n8n-auth.ts +++ b/src/scripts/debug-n8n-auth.ts @@ -7,8 +7,14 @@ import { config } from 'dotenv'; config(); async function debugN8nAuth() { - const apiUrl = process.env.N8N_API_URL || 'https://n8n.energyhouse.com.pl'; - const apiKey = process.env.N8N_API_KEY || 'n8n_api_f94c0b3fb3bf1a3a690f37bb0c5c0de43c7b690c0a33c88b6baaa37ae896dc96'; + const apiUrl = process.env.N8N_API_URL; + const apiKey = process.env.N8N_API_KEY; + + if (!apiUrl || !apiKey) { + console.error('Error: N8N_API_URL and N8N_API_KEY environment variables are required'); + console.error('Please set them in your .env file or environment'); + process.exit(1); + } console.log('Testing n8n API Authentication...'); console.log('API URL:', apiUrl);