Complete Phase 3, Phase 5 polish and hardening
Phase 3 — Investments: - Multi-currency support: holdings track purchase currency, FX rates convert to base for totals - Capital gains report using UK Section 104 pool method, grouped by tax year - Capital Gains tab added to Reports page Phase 5 — Polish & Hardening: - Mobile-responsive layout: bottom nav, sidebar hidden on mobile, logo in TopBar, compact header buttons, hover-only actions now always visible on touch - Backup system: encrypted GPG backups via backup.sh, nightly scheduler job, admin API (list/trigger/download/restore), Settings UI with drag-to-restore confirmation - Docker entrypoint with gosu privilege drop to fix bind-mount ownership on fresh deployments - OWASP fixes: refresh token now bound to its session (new refresh_token_hash column + migration), CSRF secure flag tied to environment, IP-level rate limiting on login, TOTPEnableRequest Pydantic schema replaces raw dict - AES-256-GCM key rotation script (rotate_keys.py) with dry-run mode and atomic DB transaction - CLAUDE.md added for AI-assisted development context - README updated: correct reverse proxy port, accurate backup/restore commands, key rotation instructions Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
74e57a35c0
commit
fe4e69b9ad
40 changed files with 2079 additions and 127 deletions
54
backend/scripts/rotate_keys.sh
Executable file
54
backend/scripts/rotate_keys.sh
Executable file
|
|
@ -0,0 +1,54 @@
|
|||
#!/bin/bash
|
||||
# rotate_keys.sh — re-encrypt all AES-256-GCM fields with a new key.
|
||||
# The application must be STOPPED before running.
|
||||
#
|
||||
# Usage:
|
||||
# NEW_ENCRYPTION_KEY=$(python3 -c "import secrets; print(secrets.token_hex(32))")
|
||||
# docker compose stop backend
|
||||
# NEW_ENCRYPTION_KEY="$NEW_ENCRYPTION_KEY" ./scripts/rotate_keys.sh
|
||||
# # On success, update ENCRYPTION_KEY in .env, then:
|
||||
# docker compose up -d backend
|
||||
set -euo pipefail
|
||||
|
||||
if [ -z "${NEW_ENCRYPTION_KEY:-}" ]; then
|
||||
echo "ERROR: NEW_ENCRYPTION_KEY is not set"
|
||||
echo "Generate with: python3 -c \"import secrets; print(secrets.token_hex(32))\""
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -z "${ENCRYPTION_KEY:-}" ]; then
|
||||
# Try to load from .env in the project root
|
||||
ENV_FILE="$(dirname "$0")/../.env"
|
||||
if [ -f "${ENV_FILE}" ]; then
|
||||
ENCRYPTION_KEY=$(grep -E '^ENCRYPTION_KEY=' "${ENV_FILE}" | cut -d= -f2- | tr -d '"' | tr -d "'")
|
||||
fi
|
||||
fi
|
||||
|
||||
if [ -z "${ENCRYPTION_KEY:-}" ]; then
|
||||
echo "ERROR: ENCRYPTION_KEY (current key) could not be found in environment or .env"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ "${ENCRYPTION_KEY}" = "${NEW_ENCRYPTION_KEY}" ]; then
|
||||
echo "ERROR: NEW_ENCRYPTION_KEY is the same as the current key — nothing to do"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "[rotate] This will re-encrypt ALL sensitive fields in the database."
|
||||
echo "[rotate] Ensure the application containers are stopped before continuing."
|
||||
read -r -p "[rotate] Type 'yes' to continue: " CONFIRM
|
||||
if [ "${CONFIRM}" != "yes" ]; then
|
||||
echo "[rotate] Aborted"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
echo "[rotate] Running key rotation inside the backend container…"
|
||||
docker compose exec \
|
||||
-e ENCRYPTION_KEY="${ENCRYPTION_KEY}" \
|
||||
-e NEW_ENCRYPTION_KEY="${NEW_ENCRYPTION_KEY}" \
|
||||
backend python -m app.core.key_rotation
|
||||
|
||||
echo ""
|
||||
echo "[rotate] SUCCESS. Next steps:"
|
||||
echo " 1. Update ENCRYPTION_KEY in .env to: ${NEW_ENCRYPTION_KEY}"
|
||||
echo " 2. Restart the backend: docker compose up -d backend"
|
||||
Loading…
Add table
Add a link
Reference in a new issue