Merge pull request #5347 from bcgov/dev-AH-FOIMOD-3365

Ticket 3365: Security Fix - Removal of hard coded value
bcgov · Aug 16, 2024 · 59b0f8c · 59b0f8c
2 parents 72a7bcc + f242200
commit 59b0f8c
Show file tree

Hide file tree

Showing 6 changed files with 8 additions and 1 deletion.
diff --git a/docker-compose-linux.yml b/docker-compose-linux.yml
@@ -192,6 +192,7 @@ services:
         - FOI_FFA_URL=${FOI_FFA_URL}
         - REACT_APP_FOI_RECORD_FORMATS=${FOI_RECORD_FORMATS}
         - REACT_APP_RECORD_PROCESSING_HRS=${RECORD_PROCESSING_HRS}
+        - REACT_APP_SESSION_SECURITY_KEY=${REACT_APP_SESSION_SECURITY_KEY}
     volumes:
       - ".:/app"
       - "/app/node_modules"

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -229,6 +229,7 @@ services:
         - REACT_APP_DISABLE_GATHERINGRECORDS_TAB=${DISABLE_GATHERINGRECORDS_TAB}
         - REACT_APP_RECORD_DOWNLOAD_LIMIT=${RECORD_DOWNLOAD_LIMIT}
         - REACT_APP_RECORD_DOWNLOAD_SIZE_LIMIT=${RECORD_DOWNLOAD_SIZE_LIMIT}
+        - REACT_APP_SESSION_SECURITY_KEY=${REACT_APP_SESSION_SECURITY_KEY}
     volumes:
       - ".:/app"
       - "/app/node_modules"

diff --git a/forms-flow-web/Dockerfile b/forms-flow-web/Dockerfile
@@ -37,6 +37,7 @@ ARG REACT_APP_DISABLE_REDACT_WEBLINK
 ARG REACT_APP_DISABLE_GATHERINGRECORDS_TAB
 ARG REACT_APP_RECORD_DOWNLOAD_LIMIT
 ARG REACT_APP_RECORD_DOWNLOAD_SIZE_LIMIT
+ARG REACT_APP_SESSION_SECURITY_KEY
 
 ENV NODE_ENV ${NODE_ENV}
 ENV GENERATE_SOURCEMAP ${GENERATE_SOURCEMAP}
@@ -66,6 +67,7 @@ ENV REACT_APP_FOI_RECORD_FORMATS ${REACT_APP_FOI_RECORD_FORMATS}
 ENV REACT_APP_RECORD_PROCESSING_HRS ${REACT_APP_RECORD_PROCESSING_HRS}
 ENV REACT_APP_DISABLE_REDACT_WEBLINK ${REACT_APP_DISABLE_REDACT_WEBLINK}
 ENV REACT_APP_DISABLE_GATHERINGRECORDS_TAB ${REACT_APP_DISABLE_GATHERINGRECORDS_TAB}
+ENV REACT_APP_SESSION_SECURITY_KEY ${REACT_APP_SESSION_SECURITY_KEY}
 
 ENV REACT_APP_SOCKETIO_CONNECT_NONCE ${REACT_APP_SOCKETIO_CONNECT_NONCE}
 ENV REACT_APP_RECORD_DOWNLOAD_LIMIT ${REACT_APP_RECORD_DOWNLOAD_LIMIT}

diff --git a/forms-flow-web/Dockerfile.local b/forms-flow-web/Dockerfile.local
@@ -34,6 +34,7 @@ ARG REACT_APP_DISABLE_REDACT_WEBLINK
 ARG REACT_APP_DISABLE_GATHERINGRECORDS_TAB
 ARG REACT_APP_RECORD_DOWNLOAD_LIMIT
 ARG REACT_APP_RECORD_DOWNLOAD_SIZE_LIMIT
+ARG REACT_APP_SESSION_SECURITY_KEY
 
 ENV NODE_ENV ${NODE_ENV}
 ENV GENERATE_SOURCEMAP ${GENERATE_SOURCEMAP}
@@ -63,6 +64,7 @@ ENV REACT_APP_DISABLE_REDACT_WEBLINK ${REACT_APP_DISABLE_REDACT_WEBLINK}
 ENV REACT_APP_DISABLE_GATHERINGRECORDS_TAB ${REACT_APP_DISABLE_GATHERINGRECORDS_TAB}
 ENV REACT_APP_RECORD_DOWNLOAD_LIMIT ${REACT_APP_RECORD_DOWNLOAD_LIMIT}
 ENV REACT_APP_RECORD_DOWNLOAD_SIZE_LIMIT ${REACT_APP_RECORD_DOWNLOAD_SIZE_LIMIT}
+ENV REACT_APP_SESSION_SECURITY_KEY ${REACT_APP_SESSION_SECURITY_KEY}
 # add `/app/node_modules/.bin` to $PATH
 ENV PATH /forms-flow-web/app/node_modules/.bin:$PATH
 

diff --git a/forms-flow-web/docker-compose.yml b/forms-flow-web/docker-compose.yml
@@ -35,6 +35,7 @@ services:
         - REACT_APP_FOI_FLOW_REPORTING_URL=${FOI_FLOW_REPORTING_URL}
         - REACT_APP_AXIS_API_URL=${AXIS_API_URL}
         - REACT_APP_SOCKETIO_CONNECT_NONCE=${SOCKETIO_CONNECT_NONCE}
+        - REACT_APP_SESSION_SECURITY_KEY=${REACT_APP_SESSION_SECURITY_KEY}
     volumes:
       - ".:/app"
       - "/app/node_modules"

diff --git a/forms-flow-web/src/constants/constants.js b/forms-flow-web/src/constants/constants.js
@@ -16,7 +16,7 @@ export const KEYCLOAK_REALM =
 export const KEYCLOAK_URL =(window._env_ && window._env_.REACT_APP_KEYCLOAK_URL) || process.env.REACT_APP_KEYCLOAK_URL;
 export const KEYCLOAK_AUTH_URL = `${KEYCLOAK_URL}/auth`;
 export const ANONYMOUS_USER = "anonymous";
-export const SESSION_SECURITY_KEY = "u7x!A%D*G-KaNdRgUkXp2s5v8y/B?E(H";
+export const SESSION_SECURITY_KEY = (window._env_ && window._env_.REACT_APP_SESSION_SECURITY_KEY) || process.env.REACT_APP_SESSION_SECURITY_KEY;
 //6 hour in milliseconds
 export const SESSION_LIFETIME = 21600000;
 export const SOCKETIO_CONNECT_URL =