fix(security): remove jwt secret from repo

jqlovezkk · jqlovezkk · commit addbcc3c0211 · 2026-05-08T21:19:28.000+08:00
diff --git a/.github/workflows/deploy-server.yml b/.github/workflows/deploy-server.yml
@@ -86,6 +86,7 @@ jobs:
           DEPLOY_USER: ${{ secrets.DEPLOY_USER }}
           DEPLOY_PATH: ${{ secrets.DEPLOY_PATH }}
           DEPLOY_SERVICE_NAME: ${{ secrets.DEPLOY_SERVICE_NAME }}
+          DEPLOY_JWT_SECRET: ${{ secrets.DEPLOY_JWT_SECRET }}
         run: |
           ssh_opts=(
             -o BatchMode=yes
@@ -99,6 +100,7 @@ jobs:
             printf 'export DEPLOY_ARCHIVE=%q\n' "$REMOTE_ARCHIVE"
             printf 'export DEPLOY_PATH=%q\n' "$DEPLOY_PATH"
             printf 'export DEPLOY_SERVICE_NAME=%q\n' "$DEPLOY_SERVICE_NAME"
+            printf 'export DEPLOY_JWT_SECRET=%q\n' "$DEPLOY_JWT_SECRET"
             cat scripts/deploy/server-release.sh
           } | ssh "${ssh_opts[@]}" "${DEPLOY_USER}@${DEPLOY_HOST}" "bash -s"
 
diff --git a/clipSync-server/internal/config/config.go b/clipSync-server/internal/config/config.go
@@ -3,6 +3,7 @@ package config
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"gopkg.in/yaml.v3"
 )
@@ -55,6 +56,10 @@ func Load(path string) (Config, error) {
 		return cfg, fmt.Errorf("parse config file: %w", err)
 	}
 
+	if envSecret := strings.TrimSpace(os.Getenv("CLIPSYNC_JWT_SECRET")); envSecret != "" {
+		cfg.JWTSecret = envSecret
+	}
+
 	return cfg, nil
 }
 
diff --git a/docs/deployment/github-actions-server.md b/docs/deployment/github-actions-server.md
@@ -27,12 +27,14 @@ Configure these repository secrets before enabling the workflow:
 | `DEPLOY_PATH` | `/opt/clipSync-server-src` | Live server directory that receives `bin/`, `configs/`, and preserved `data/` |
 | `DEPLOY_SERVICE_NAME` | `clipsync.service` | systemd service restarted during deploy and rollback |
 | `DEPLOY_KNOWN_HOSTS` | output of `ssh-keyscan -H 8.141.100.238` | Host key entry used for strict SSH host verification |
+| `DEPLOY_JWT_SECRET` | a long random secret | Injected into the deployed server config during deployment; do not store the live JWT secret in git |
 
 Notes:
 
 - `DEPLOY_SSH_KEY` must match the public key installed for `DEPLOY_USER` on the server.
 - `DEPLOY_KNOWN_HOSTS` is required because the workflow uses `StrictHostKeyChecking=yes`.
 - Keep `DEPLOY_PATH` and `DEPLOY_SERVICE_NAME` aligned with the actual server layout and systemd unit.
+- `DEPLOY_JWT_SECRET` should be treated as the real production JWT signing key. The repository config now keeps only the placeholder value.
 - Optional: `DEPLOY_PUBLIC_HEALTH_URL` can override the final GitHub Actions health-check URL when the public endpoint differs from `http://<DEPLOY_HOST>:8081/api/v1/health`.
 
 ## Server Requirements
@@ -60,7 +62,7 @@ The server process defaults to the relative path `configs/config.yaml`. That mea
 
 ## First-Time Setup
 
-1. Confirm the repository version of `clipSync-server/configs/config.yaml` is safe for the deployment environment.
+1. Confirm the repository version of `clipSync-server/configs/config.yaml` keeps the placeholder JWT secret and any other non-secret defaults you want deployed.
 2. Create the required GitHub repository secrets listed above.
 3. Install the deploy public key for `DEPLOY_USER` on the server.
 4. Capture the server host key for `DEPLOY_KNOWN_HOSTS`.
@@ -99,7 +101,7 @@ curl --fail http://127.0.0.1:8081/api/v1/health
 The remote deployment script is intentionally narrow and opinionated:
 
 - `data/` is preserved. The script creates `DEPLOY_PATH/data` if needed and never deletes or replaces it.
-- `configs/config.yaml` is overwritten from the repository on every deploy.
+- `configs/config.yaml` is overwritten from the repository on every deploy, then the script replaces the placeholder JWT secret with `DEPLOY_JWT_SECRET` on the server.
 - The live binary path is `DEPLOY_PATH/bin/clipsync-server-linux`.
 - The binary backup path is `DEPLOY_PATH/bin/clipsync-server-linux.prev`.
 - The config backup path is `DEPLOY_PATH/configs/config.yaml.prev`.
@@ -168,6 +170,7 @@ What to verify:
 
 - The service name in `DEPLOY_SERVICE_NAME` is correct.
 - The deployed config in `/opt/clipSync-server-src/configs/config.yaml` contains production-safe values.
+- `DEPLOY_JWT_SECRET` exists in GitHub Secrets and the deployed config no longer contains the placeholder value.
 - The service is actually starting the binary at `/opt/clipSync-server-src/bin/clipsync-server-linux`.
 - Port `8081` is listening and reachable from outside the host if the final GitHub Actions health check is using the default URL.
 - If `DEPLOY_PUBLIC_HEALTH_URL` is configured, verify that public endpoint and any proxy/load-balancer routing in front of it.
@@ -178,7 +181,7 @@ What to verify:
 Before treating this flow as ready:
 
 - Confirm the secrets in GitHub match the real server.
-- Confirm `clipSync-server/configs/config.yaml` is intended to overwrite production on every push to `main`.
+- Confirm `clipSync-server/configs/config.yaml` is intended to overwrite production on every push to `main`, aside from the JWT secret placeholder that gets replaced at deploy time.
 - Confirm `DEPLOY_PUBLIC_HEALTH_URL` is set if the API port is not publicly reachable from GitHub-hosted runners.
 - Confirm the systemd service still uses the same binary path and health endpoint.
 - Confirm operators understand that `data/` is preserved but config is not, and that rollback does not restore SQLite database state.
diff --git a/scripts/deploy/server-release.sh b/scripts/deploy/server-release.sh
@@ -138,6 +138,7 @@ resolve_release_root() {
 require_env DEPLOY_ARCHIVE
 require_env DEPLOY_PATH
 require_env DEPLOY_SERVICE_NAME
+require_env DEPLOY_JWT_SECRET
 
 DEPLOY_HEALTH_URL="${DEPLOY_HEALTH_URL:-http://127.0.0.1:8081/api/v1/health}"
 
@@ -190,6 +191,21 @@ trap 'rollback_on_error "$?"' ERR
 install -m 0755 "$NEW_BINARY" "$TEMP_BINARY"
 mv -f "$TEMP_BINARY" "$LIVE_BINARY"
 install -m 0644 "$NEW_CONFIG" "$LIVE_CONFIG"
+python3 - "$LIVE_CONFIG" "$DEPLOY_JWT_SECRET" <<'PY'
+import pathlib
+import sys
+
+config_path = pathlib.Path(sys.argv[1])
+jwt_secret = sys.argv[2]
+
+content = config_path.read_text(encoding="utf-8")
+needle = 'jwt_secret: "clipsync-secret-change-in-production"'
+
+if needle not in content:
+    raise SystemExit("Unable to locate jwt_secret placeholder in deployed config")
+
+config_path.write_text(content.replace(needle, f'jwt_secret: "{jwt_secret}"', 1), encoding="utf-8")
+PY
 
 if ! systemctl restart "$DEPLOY_SERVICE_NAME"; then
   echo "Service restart failed: $DEPLOY_SERVICE_NAME" >&2

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package config`
`3`	`3`	`import (`
`4`	`4`	`"fmt"`
`5`	`5`	`"os"`
	`6`	`+ "strings"`
`6`	`7`
`7`	`8`	`"gopkg.in/yaml.v3"`
`8`	`9`	`)`
`@@ -55,6 +56,10 @@ func Load(path string) (Config, error) {`
`55`	`56`	`return cfg, fmt.Errorf("parse config file: %w", err)`
`56`	`57`	`}`
`57`	`58`
	`59`	`+ if envSecret := strings.TrimSpace(os.Getenv("CLIPSYNC_JWT_SECRET")); envSecret != "" {`
	`60`	`+ cfg.JWTSecret = envSecret`
	`61`	`+ }`
	`62`	`+`
`58`	`63`	`return cfg, nil`
`59`	`64`	`}`
`60`	`65`