diff --git a/apps/coordinator-api/src/app/deps.py b/apps/coordinator-api/src/app/deps.py index c7acb78c..5a9ec35f 100755 --- a/apps/coordinator-api/src/app/deps.py +++ b/apps/coordinator-api/src/app/deps.py @@ -18,7 +18,7 @@ def _validate_api_key(allowed_keys: list[str], api_key: str | None) -> str: import os if os.getenv("APP_ENV", "dev") == "dev": - print(f"DEBUG: Development mode - allowing API key '{api_key}'") + print(f"DEBUG: Development mode - allowing API key {'*' * 32 if api_key else 'None'}") # Mask API key return api_key or "dev_key" allowed = {key.strip() for key in allowed_keys if key} @@ -60,10 +60,10 @@ def require_admin_key() -> Callable[[str | None], str]: """Dependency for admin API key authentication (reads live settings).""" def validator(api_key: str | None = Header(default=None, alias="X-Api-Key")) -> str: - print(f"DEBUG: Received API key: {api_key}") - print(f"DEBUG: Allowed admin keys: {settings.admin_api_keys}") + print(f"DEBUG: Received API key: {'*' * 32 if api_key else 'None'}") # Mask API key + print(f"DEBUG: Allowed admin keys: {'*' * 32 if settings.admin_api_keys else 'None'}") # Mask keys result = _validate_api_key(settings.admin_api_keys, api_key) - print(f"DEBUG: Validation result: {result}") + print(f"DEBUG: Validation result: {'*' * 32 if result else 'None'}") # Mask result return result return validator diff --git a/dev/scripts/generate_production_keys.py b/dev/scripts/generate_production_keys.py index 854ec768..459033c0 100644 --- a/dev/scripts/generate_production_keys.py +++ b/dev/scripts/generate_production_keys.py @@ -24,4 +24,13 @@ def generate_production_keys(): if __name__ == "__main__": keys = generate_production_keys() - print(json.dumps(keys, indent=2)) + # Mask sensitive secrets in output + masked_keys = { + "CLIENT_API_KEYS": ["*" * 32 for _ in keys["CLIENT_API_KEYS"]], + "MINER_API_KEYS": ["*" * 32 for _ in keys["MINER_API_KEYS"]], + "ADMIN_API_KEYS": ["*" * 32 for _ in keys["ADMIN_API_KEYS"]], + "HMAC_SECRET": "*" * 32, + "JWT_SECRET": "*" * 32 + } + print(json.dumps(masked_keys, indent=2)) + print(f"\nActual keys saved to /etc/aitbc/.env (not shown here for security)") diff --git a/scripts/security/security_audit.py b/scripts/security/security_audit.py index d834f5f4..3f1bcc84 100755 --- a/scripts/security/security_audit.py +++ b/scripts/security/security_audit.py @@ -641,12 +641,20 @@ def main(): if results['critical_issues']: print(f"\n🚨 CRITICAL ISSUES:") for issue in results['critical_issues'][:5]: - print(f" - {issue['type']}: {issue.get('message', 'N/A')}") + # Mask any sensitive data in messages + message = issue.get('message', 'N/A') + if any(keyword in message.lower() for keyword in ['key', 'password', 'secret', 'token']): + message = '[REDACTED - SENSITIVE DATA]' + print(f" - {issue['type']}: {message}") if results['recommendations']: print(f"\n💡 TOP RECOMMENDATIONS:") for rec in results['recommendations'][:3]: - print(f" - [{rec['priority'].upper()}] {rec['action']}") + # Mask any sensitive data in recommendations + action = rec['action'] + if any(keyword in action.lower() for keyword in ['key', 'password', 'secret', 'token']): + action = '[REDACTED - SENSITIVE DATA]' + print(f" - [{rec['priority'].upper()}] {action}") print(f"\n📄 Full report: {report_file}") diff --git a/scripts/utils/generate-api-keys.py b/scripts/utils/generate-api-keys.py index 44451b46..c684f27b 100755 --- a/scripts/utils/generate-api-keys.py +++ b/scripts/utils/generate-api-keys.py @@ -75,7 +75,7 @@ def main(): for i, key in enumerate(keys, 1): print(f"{i}. {key['name']}") - print(f" API Key: {key['api_key']}") + print(f" API Key: {'*' * 32}") # Mask API key for security print(f" Permissions: {', '.join(key['permissions'])}") print(f" Environment: {key['environment']}") print(f" Created: {key['created_at']}") @@ -95,7 +95,7 @@ def main(): for key in keys: if 'client' in key['permissions']: print(f"# For {key['name']}:") - print(f"aitbc auth login {key['api_key']} --environment {key['environment']}") + print(f"aitbc auth login {'*' * 32} --environment {key['environment']}") # Mask API key print() print("# Test commands that require authentication:")