FleetOS Security & Credentials Management

🔴 CRITICAL SECURITY ISSUES FOUND

Issue 1: Service Role Key Exposed to Frontend

Current (INSECURE):

VITE_SUPABASE_SERVICE_ROLE_KEY=eyJhbGciOiJIUzI1NiIs...

Problem:

• The VITE_ prefix means this key is bundled into the frontend JavaScript

• Anyone can open browser DevTools and see the service role key

• Service role key bypasses ALL Row Level Security policies

• Attackers can read/modify/delete ANY data in your database

Impact: 🔴 CRITICAL - Complete database compromise possible

Fix:

1. Remove VITE_ prefix (rename to SUPABASE_SERVICE_ROLE_KEY)

2. Only use in server-side scripts (not in browser code)

3. Rotate the key immediately via Supabase dashboard

4. Use VITE_SUPABASE_ANON_KEY in frontend (this is safe - it respects RLS)

---

Issue 2: Production Credentials in .env File

Current (INSECURE):

# .env file contains real production credentials
VITE_SUPABASE_URL=https://bsbjwjpgiangjqqqxota.supabase.co
VITE_SUPABASE_ANON_KEY=eyJhbGciOiJIUzI1NiIs...  # REAL KEY

Problem:

• .env file is tracked in git (even if in .gitignore now)

• Credentials may be in git history

• Anyone with repo access sees production keys

Impact: 🟡 HIGH - Unauthorized access possible

Fix:

1. Create .env.production with real credentials (gitignored)

2. Use .env.production.example as template (no real credentials)

3. Rotate all exposed keys

4. Check git history for leaked credentials

---

✅ Secure Environment Variable Setup

Frontend vs Backend Variables

Frontend (Safe to expose):

• ✅ VITE_SUPABASE_URL - Public URL, safe to expose

• ✅ VITE_SUPABASE_ANON_KEY - Public key, respects RLS, safe to expose

• ✅ VITE_APP_URL - Your domain, safe to expose

• ✅ VITE_SENTRY_DSN - Sentry project ID, safe to expose

Backend ONLY (NEVER expose to frontend):

• ❌ SUPABASE_SERVICE_ROLE_KEY - Bypasses RLS, server-side only

• ❌ SUPABASE_DB_PASSWORD - Direct database access, server-side only

• ❌ TWILIO_AUTH_TOKEN - Can send SMS/WhatsApp, server-side only

• ❌ SENDGRID_API_KEY - Can send emails, server-side only

• ❌ JWT_SECRET - Can forge tokens, server-side only

Rule: If it starts with VITE_, it's bundled into frontend JavaScript and visible to users.

---

🔐 How to Rotate Supabase Service Role Key

Step 1: Generate New Key

1. Go to https://supabase.com/dashboard

2. Select your project

3. Go to Settings → API

4. Under "Project API keys" section

5. Click "Reset service_role secret"

6. WARNING: This will immediately invalidate the old key

7. Copy the new service_role key

Step 2: Update Environment Variables

# Update .env.production (server-side only)
SUPABASE_SERVICE_ROLE_KEY=your-new-service-role-key-here

# DO NOT add VITE_ prefix!

Step 3: Update Server-Side Scripts

Update all scripts that use the service role key:

• scripts/* - Test and setup scripts

• Backend API endpoints (if you have a backend)

• CI/CD pipelines

Step 4: Verify

# Test that scripts still work with new key
node scripts/verify-migration.js

---

📋 Environment Variable Checklist

Before deploying to production:

• .env.production created (with real credentials)

• .env.production is in .gitignore

• .env.production.example created (no real credentials)

• Service role key does NOT have VITE_ prefix

• All sensitive keys are server-side only

• Supabase service role key has been rotated

• Old keys removed from git history

• Environment validation added to App.tsx

• Test build with npm run build (verify no secrets in bundle)

---

🛠️ Environment Variable Validation

Add to App.tsx

// At the top of App.tsx, before any component code
function validateEnvironment() {
  const required = {
    'VITE_SUPABASE_URL': import.meta.env.VITE_SUPABASE_URL,
    'VITE_SUPABASE_ANON_KEY': import.meta.env.VITE_SUPABASE_ANON_KEY,
    'VITE_APP_URL': import.meta.env.VITE_APP_URL,
  };

  const missing = Object.entries(required)
    .filter(([key, value]) => !value)
    .map(([key]) => key);

  if (missing.length > 0) {
    console.error('❌ Missing required environment variables:', missing);
    console.error('📝 Create .env.production from .env.production.example');
    throw new Error(`Missing environment variables: ${missing.join(', ')}`);
  }

  // Warn if service role key is exposed (security issue)
  if (import.meta.env.VITE_SUPABASE_SERVICE_ROLE_KEY) {
    console.error('🔴 SECURITY WARNING: Service role key exposed to frontend!');
    console.error('Remove VITE_ prefix from SUPABASE_SERVICE_ROLE_KEY');
  }

  console.log('✅ Environment variables validated');
}

// Call on app initialization
validateEnvironment();

---

🔍 Check for Leaked Credentials in Git History

# Search git history for potential credential leaks
git log -p -S "VITE_SUPABASE_SERVICE_ROLE_KEY" --all

# Search for Supabase URLs
git log -p -S "supabase.co" --all

# Search for API keys
git log -p -S "eyJhbGciOiJIUzI1NiIs" --all

If you find leaked credentials in git history:

1. Rotate ALL exposed keys immediately

2. Consider using BFG Repo-Cleaner to remove from history:

   # WARNING: Rewrites git history
   bfg --delete-files .env
   git reflog expire --expire=now --all
   git gc --prune=now --aggressive

3. Force push to GitHub (if using private repo)

4. Notify team members to re-clone repo

---

🚀 Deployment Environment Variables

Vercel

1. Go to Project Settings → Environment Variables

2. Add each variable from .env.production

3. Set scope: Production, Preview, Development

4. DO NOT add service role key (not needed in frontend deploy)

Netlify

1. Go to Site Settings → Build & Deploy → Environment

2. Add variables from .env.production

3. Keep sensitive keys out of frontend deploy

Custom Server (VPS, AWS, etc.)

# On server
cd /var/www/fleetos
cp .env.production.example .env.production
nano .env.production  # Fill in credentials

# Verify file permissions
chmod 600 .env.production  # Read/write for owner only
chown www-data:www-data .env.production

---

⚡ Quick Fix Script

#!/bin/bash
# quick-security-fix.sh

echo "🔐 FleetOS Security Fix"
echo "======================="

# 1. Create production env file
if [ ! -f .env.production ]; then
  echo "📝 Creating .env.production from .env..."
  cp .env .env.production

  # Remove VITE_ prefix from sensitive keys
  sed -i 's/VITE_SUPABASE_SERVICE_ROLE_KEY/SUPABASE_SERVICE_ROLE_KEY/' .env.production
  sed -i 's/VITE_TWILIO_AUTH_TOKEN/TWILIO_AUTH_TOKEN/' .env.production
  sed -i 's/VITE_SUPABASE_DB_PASSWORD/SUPABASE_DB_PASSWORD/' .env.production

  echo "✅ Created .env.production"
fi

# 2. Verify .gitignore
if ! grep -q "\.env\.production" .gitignore; then
  echo ".env.production" >> .gitignore
  echo "✅ Added .env.production to .gitignore"
fi

# 3. Check for exposed secrets in bundle
npm run build > /dev/null 2>&1
if grep -r "service_role" dist/ > /dev/null 2>&1; then
  echo "🔴 WARNING: service_role found in build output!"
  echo "   Check for VITE_ prefixed sensitive variables"
else
  echo "✅ No service role key found in build"
fi

echo ""
echo "⚠️  MANUAL STEPS REQUIRED:"
echo "1. Rotate Supabase service role key at:"
echo "   https://supabase.com/dashboard"
echo "2. Update .env.production with new key"
echo "3. Remove old .env file: rm .env"
echo "4. Test scripts: node scripts/verify-migration.js"

---

📞 Support

If you've accidentally exposed credentials:

1. Immediately rotate all keys (Supabase, Twilio, SendGrid)

2. Check database audit logs for unauthorized access

3. Review recent service requests for suspicious activity

4. Consider reaching out to Supabase support if breach suspected

---

Security Status: 🔴 CRITICAL → ✅ SECURE (after fixes applied)

Time to Fix: ~30 minutes

Priority: IMMEDIATE - Do not deploy to production until fixed