From f6c8e6903d5781755aeecb9563204ce0b6432555 Mon Sep 17 00:00:00 2001 From: Devin AI <158243242+devin-ai-integration[bot]@users.noreply.github.com> Date: Tue, 30 Sep 2025 20:56:05 +0000 Subject: [PATCH] fix: remove hardcoded secrets and enable CSRF protection - Replace hardcoded OAuth2 client secrets with environment variables in API-Gateway and User-Service - Enable CSRF protection by removing .csrf().disable() in API-Gateway SecurityConfig - Update database credentials to use environment variables in Account-Service, Sequence-Generator, Fund-Transfer, and Transaction-Service - Document all required environment variables in README Co-Authored-By: Sam Fertig --- .../api/gateway/config/SecurityConfig.java | 3 +-- .../src/main/resources/application.yml | 2 +- .../src/main/resources/application.yml | 6 +++--- .../src/main/resources/application.yml | 8 ++++---- README.md | 19 ++++++++++++++++++- .../src/main/resources/application.yml | 6 +++--- .../src/main/resources/application.yml | 8 ++++---- .../src/main/resources/application.yml | 2 +- 8 files changed, 35 insertions(+), 19 deletions(-) diff --git a/API-Gateway/src/main/java/org/training/api/gateway/config/SecurityConfig.java b/API-Gateway/src/main/java/org/training/api/gateway/config/SecurityConfig.java index a028a68..1c41317 100644 --- a/API-Gateway/src/main/java/org/training/api/gateway/config/SecurityConfig.java +++ b/API-Gateway/src/main/java/org/training/api/gateway/config/SecurityConfig.java @@ -19,11 +19,10 @@ public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) { //ALL OTHER APIS ARE AUTHENTICATED .anyExchange().authenticated() .and() - .csrf().disable() .oauth2Login() .and() .oauth2ResourceServer() .jwt(); return http.build(); } -} \ No newline at end of file +} diff --git a/API-Gateway/src/main/resources/application.yml b/API-Gateway/src/main/resources/application.yml index 5a6ed7a..cea9277 100644 --- a/API-Gateway/src/main/resources/application.yml +++ b/API-Gateway/src/main/resources/application.yml @@ -59,7 +59,7 @@ spring: banking-service-client: provider: keycloak client-id: banking-service-client - client-secret: Au6eAD2JgB5MH0G2tNrPLfKqObswfSPb + client-secret: ${KEYCLOAK_CLIENT_SECRET} authorization-grant-type: authorization_code redirect-uri: http://localhost:8571/login/oauth2/code/keycloak scope: openid diff --git a/Account-Service/src/main/resources/application.yml b/Account-Service/src/main/resources/application.yml index 094aca9..eb4215a 100644 --- a/Account-Service/src/main/resources/application.yml +++ b/Account-Service/src/main/resources/application.yml @@ -7,9 +7,9 @@ spring: not_found: 404 datasource: - url: jdbc:mysql://localhost:3306/account_service - username: root - password: root + url: jdbc:mysql://${MYSQL_HOST:localhost}:${MYSQL_PORT:3306}/${MYSQL_DB_NAME:account_service} + username: ${MYSQL_USER:root} + password: ${MYSQL_PASSWORD:root} jpa: hibernate: diff --git a/Fund-Transfer/src/main/resources/application.yml b/Fund-Transfer/src/main/resources/application.yml index 4e0abdd..cd0cdc3 100644 --- a/Fund-Transfer/src/main/resources/application.yml +++ b/Fund-Transfer/src/main/resources/application.yml @@ -8,9 +8,9 @@ spring: ok: 200 datasource: - url: jdbc:mysql://localhost:3306/fund_transfer_service - username: root - password: root + url: jdbc:mysql://${MYSQL_HOST:localhost}:${MYSQL_PORT:3306}/${MYSQL_DB_NAME:fund_transfer_service} + username: ${MYSQL_USER:root} + password: ${MYSQL_PASSWORD:root} jpa: hibernate: @@ -20,4 +20,4 @@ spring: properties: hibernate: - format_sql: true \ No newline at end of file + format_sql: true diff --git a/README.md b/README.md index 178c8bc..8b89bca 100644 --- a/README.md +++ b/README.md @@ -46,6 +46,23 @@ To get started, follow these steps to run the application on your local applicat - Set up Keycloak for authentication and authorization. Refer to the detailed configuration guide provided [here](https://devscribbles.hashnode.dev/mastering-microservices-authentication-and-authorization-with-keycloak) for step-by-step instructions on configuring Keycloak for your microservices. - Some microservices and APIs may depend on others being up and running. Ensure that all necessary microservices and APIs are up and functioning correctly to avoid any issues in the application workflow. +

⚙️ Environment Variables

+ +The application requires the following environment variables to be configured: + +### Database Configuration +All microservices require MySQL database credentials: +- `MYSQL_HOST` - MySQL server host (default: localhost) +- `MYSQL_PORT` - MySQL server port (default: 3306) +- `MYSQL_DB_NAME` - Database name (varies per service: user_service, account_service, sequence_generator, fund_transfer_service, transaction_service) +- `MYSQL_USER` - Database username (default: root) +- `MYSQL_PASSWORD` - Database password (default: root) + +### OAuth2/Keycloak Configuration +- `KEYCLOAK_CLIENT_SECRET` - OAuth2 client secret for Keycloak authentication (required for API-Gateway and User-Service) + +**Note:** Default values are provided for development purposes only. In production, always set these environment variables explicitly and never use default credentials. +

📖 Documentation

📂 Microservices Documentation

@@ -87,4 +104,4 @@ If you have any questions, feedback, or need assistance with this project, pleas [![WhatsApp](https://img.shields.io/badge/WhatsApp-25D366?style=for-the-badge&logo=whatsapp&logoColor=white)](https://wa.me/6361921186) [![GMAIL](https://img.shields.io/badge/Gmail-D14836?style=for-the-badge&logo=gmail&logoColor=white)](mailto:kartikkulkarni1411@gmail.com) -We appreciate your interest in our project and look forward to hearing from you. Happy coding! \ No newline at end of file +We appreciate your interest in our project and look forward to hearing from you. Happy coding! diff --git a/Sequence-Generator/src/main/resources/application.yml b/Sequence-Generator/src/main/resources/application.yml index 5778569..0c078ca 100644 --- a/Sequence-Generator/src/main/resources/application.yml +++ b/Sequence-Generator/src/main/resources/application.yml @@ -3,9 +3,9 @@ spring: name: sequence-generator datasource: - url: jdbc:mysql://localhost:3306/sequence_generator - username: root - password: root + url: jdbc:mysql://${MYSQL_HOST:localhost}:${MYSQL_PORT:3306}/${MYSQL_DB_NAME:sequence_generator} + username: ${MYSQL_USER:root} + password: ${MYSQL_PASSWORD:root} jpa: hibernate: diff --git a/Transaction-Service/src/main/resources/application.yml b/Transaction-Service/src/main/resources/application.yml index b23b7bf..4bfa351 100644 --- a/Transaction-Service/src/main/resources/application.yml +++ b/Transaction-Service/src/main/resources/application.yml @@ -6,9 +6,9 @@ spring: ok: 200 datasource: - url: jdbc:mysql://localhost:3306/transaction_service - username: root - password: root + url: jdbc:mysql://${MYSQL_HOST:localhost}:${MYSQL_PORT:3306}/${MYSQL_DB_NAME:transaction_service} + username: ${MYSQL_USER:root} + password: ${MYSQL_PASSWORD:root} jpa: hibernate: @@ -19,4 +19,4 @@ spring: format_sql: true server: - port: 8084 \ No newline at end of file + port: 8084 diff --git a/User-Service/src/main/resources/application.yml b/User-Service/src/main/resources/application.yml index bded349..b4973dd 100644 --- a/User-Service/src/main/resources/application.yml +++ b/User-Service/src/main/resources/application.yml @@ -28,5 +28,5 @@ app: server-url: http://localhost:8571 realm: banking-service client-id: banking-service-api-client - client-secret: 932OFITe8vtH4z0G9gem4Afd69JhbwrI + client-secret: ${KEYCLOAK_CLIENT_SECRET}