ros/n8n-mcp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: remove hardcoded credentials and add security documentation

Browse Source 
- Remove hardcoded API key and URL from debug-n8n-auth.ts
- Require environment variables with proper validation
- Add comprehensive SECURITY.md with best practices
- Address security concerns raised in issue #18

The SecureKeyGuard alert was a false positive (mistaking "validate_workflow"
for "VAULT_TOKEN"), but the review uncovered actual hardcoded credentials
that have now been removed.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
czlonkowski
2025-07-06 17:46:10 +02:00
parent ebd646737a
commit 35e4cf0da4
2 changed files with 103 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
SECURITY.md Normal file
View File

@@ -0,0 +1,95 @@
# Security Policy
## Reporting Security Vulnerabilities
If you discover a security vulnerability in n8n-mcp, please report it by creating a private security advisory on GitHub or emailing the maintainer directly. Please do not create public issues for security vulnerabilities.
## Security Best Practices
### 1. Environment Variables
**NEVER** commit real API keys, tokens, or credentials to the repository.
- Use `.env` files for local development (already in `.gitignore`)
- Use `.env.example` as a template with placeholder values
- Generate strong tokens using: `openssl rand -base64 32`
### 2. API Keys and Tokens
- **Rotate credentials immediately** if they are exposed
- Use environment variables exclusively - no hardcoded fallbacks
- Implement proper token expiration when possible
- Use least-privilege access for API keys
### 3. Code Security
#### ❌ DON'T DO THIS:
```typescript
// NEVER hardcode credentials
const apiKey = process.env.N8N_API_KEY || 'n8n_api_actual_key_here';
const apiUrl = process.env.N8N_API_URL || 'https://production-url.com';
```
#### ✅ DO THIS INSTEAD:
```typescript
// Always require environment variables
const apiKey = process.env.N8N_API_KEY;
const apiUrl = process.env.N8N_API_URL;
if (!apiKey || !apiUrl) {
console.error('Error: Required environment variables are missing');
process.exit(1);
}
```
### 4. Git Security
Before committing, always check:
```bash
# Check for tracked sensitive files
git ls-files | grep -E "\.(env|pem|key|cert)$"
# Check staged changes for secrets
git diff --staged | grep -iE "(api[_-]?key|secret|token|password)"
```
### 5. Docker Security
- Never include `.env` files in Docker images
- Use build arguments for compile-time configuration
- Use runtime environment variables for secrets
- Run containers as non-root users
### 6. Dependencies
- Regularly update dependencies: `npm audit`
- Review dependency changes carefully
- Use lock files (`package-lock.json`)
- Monitor for security advisories
## Security Checklist
Before each release or deployment:
- [ ] No hardcoded credentials in source code
- [ ] All sensitive configuration uses environment variables
- [ ] `.env` files are not tracked in git
- [ ] Dependencies are up to date
- [ ] No sensitive data in logs
- [ ] API endpoints use proper authentication
- [ ] Docker images don't contain secrets
## Known Security Considerations
1. **MCP Authentication**: When running in HTTP mode, always use strong `AUTH_TOKEN` values
2. **n8n API Access**: The n8n API key provides full access to workflows - protect it carefully
3. **Database Access**: The SQLite database contains node information but no credentials
## Tools for Security
- **SecureKeyGuard**: Automated scanning for exposed secrets
- **npm audit**: Check for vulnerable dependencies
- **git-secrets**: Prevent committing secrets to git
- **dotenv-vault**: Secure environment variable management
Remember: Security is everyone's responsibility. When in doubt, ask for a security review.

10
src/scripts/debug-n8n-auth.ts
View File

@@ -7,8 +7,14 @@ import { config } from 'dotenv';
config(); config();
async function debugN8nAuth() { async function debugN8nAuth() {
const apiUrl = process.env.N8N_API_URL || 'https://n8n.energyhouse.com.pl'; const apiUrl = process.env.N8N_API_URL;
const apiKey = process.env.N8N_API_KEY || 'n8n_api_f94c0b3fb3bf1a3a690f37bb0c5c0de43c7b690c0a33c88b6baaa37ae896dc96'; const apiKey = process.env.N8N_API_KEY;
if (!apiUrl || !apiKey) {
console.error('Error: N8N_API_URL and N8N_API_KEY environment variables are required');
console.error('Please set them in your .env file or environment');
process.exit(1);
}
console.log('Testing n8n API Authentication...'); console.log('Testing n8n API Authentication...');
console.log('API URL:', apiUrl); console.log('API URL:', apiUrl);