# Security: Hardcoded Credentials Cleanup ## Summary All hardcoded credentials have been removed from the codebase and replaced with environment variables. ## Changes Made ### 1. Updated Files (Removed Hardcoded Credentials) #### Backend Scripts - `backend/check-legacy-deployments.js` - Database and Legacy API credentials - `backend/fix-legacy-deployments.js` - Legacy API token - `backend/scripts/create-test-user.js` - Database credentials - `backend/scripts/inspect-db.js` - Database credentials #### Root Scripts - `scripts/fetch-otp.js` - Database credentials - `scripts/legacy-api/create_deployment.sh` - Legacy API token - `mqtt-test.js` - MQTT credentials ### 2. Updated Configuration #### backend/.env.example Added the following environment variables: ```bash # Database (PostgreSQL) DB_HOST=your-db-host DB_PORT=5432 DB_NAME=your-db-name DB_USER=your-db-user DB_PASSWORD=your-db-password # Legacy API (eluxnetworks.net) LEGACY_API_USERNAME=your-username LEGACY_API_TOKEN=your-jwt-token # MQTT Configuration MQTT_BROKER=mqtt://mqtt.eluxnetworks.net:1883 MQTT_USER=your-mqtt-username MQTT_PASSWORD=your-mqtt-password ``` ### 3. New Documentation Files - `scripts/README.md` - Documentation for root scripts - `backend/scripts/README.md` - Documentation for backend scripts - `MQTT_TESTING.md` - MQTT testing guide - `SECURITY_CREDENTIALS_CLEANUP.md` - This file ## Required Action ### Before Running Scripts Ensure that `backend/.env` contains all required credentials: ```bash # Database DB_HOST=eluxnetworks.net DB_PORT=5432 DB_NAME=wellnuo_app DB_USER=your-username DB_PASSWORD=your-password # Legacy API LEGACY_API_USERNAME=robster LEGACY_API_TOKEN=your-actual-jwt-token # MQTT MQTT_BROKER=mqtt://mqtt.eluxnetworks.net:1883 MQTT_USER=your-mqtt-username MQTT_PASSWORD=your-mqtt-password ``` ## Security Best Practices 1. ✅ Never commit `.env` files (already in `.gitignore`) 2. ✅ Use environment variables for all credentials 3. ✅ Keep `.env.example` updated but without real values 4. ✅ Document required environment variables in README files 5. ✅ Review code regularly for accidentally committed secrets ## Remaining Credentials in Repository The following files contain credentials but are acceptable: ### Documentation (Examples Only) - `docs/API_INTEGRATION_REQUEST.md` - Example JWT format - `docs/MQTT_NOTIFICATIONS_ARCHITECTURE.md` - Example usage - `MQTT-DESCRIPTION.md` - Historical documentation with example commands ### Configuration (Git-Ignored) - `backend/.env` - **Git-ignored** - Contains actual credentials ### Test Data (Git-Ignored) - `wellnuoSheme/*.json` - Schema files (should be git-ignored) ### External Collections - `api/Wellnuo_API.postman_collection.json` - Postman collection (expired test tokens) ## Verification To verify no credentials are hardcoded in active code: ```bash # Check for database passwords grep -r "W31153Rg31" --exclude-dir=node_modules --exclude-dir=.git \ --exclude-dir=temp_serve --exclude-dir=wellnuoSheme # Check for MQTT passwords grep -r "anandk_8" --exclude-dir=node_modules --exclude-dir=.git \ --exclude-dir=temp_serve --exclude-dir=wellnuoSheme # Check for JWT tokens (should only be in .env and docs) grep -r "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" \ --exclude-dir=node_modules --exclude-dir=.git \ --exclude-dir=temp_serve --exclude-dir=wellnuoSheme \ --exclude-dir=api ``` ## Status ✅ **All hardcoded credentials removed from active code** ✅ **Environment variables configured** ✅ **Documentation updated** ✅ **Scripts updated to use .env** ## Next Steps 1. Review `backend/.env` and ensure all credentials are up to date 2. Update any expired JWT tokens 3. Consider rotating credentials that were previously hardcoded 4. Add `wellnuoSheme/` to `.gitignore` if it contains sensitive data