wylab/claude-hub
1
0
Fork 0
forked from claude-did-this/claude-hub
Code Issues 1 Pull Requests Activity
Files
210aa1f7489cf47217f986de25fbd24c8d1cc048
claude-hub/src/utils/secureCredentials.ts
ClaudeBot 210aa1f748 fix: resolve unit test failures and improve test stability 
- Fix E2E tests to skip gracefully when Docker images are missing
- Update default test script to exclude E2E tests (require Docker)
- Add ESLint disable comments for necessary optional chains in webhook handling
- Maintain defensive programming for GitHub webhook payload parsing
- All unit tests now pass with proper error handling

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
2025-05-28 21:27:14 +00:00

136 lines
3.3 KiB
TypeScript
Raw Blame History

import fs from 'fs';
import { logger } from './logger';
interface CredentialConfig {
file: string;
env: string;
}
interface CredentialMappings {
[key: string]: CredentialConfig;
}
/**
* Secure credential loader - reads from files instead of env vars
* Files are mounted as Docker secrets or regular files
*/
class SecureCredentials {
private credentials: Map<string, string>;
constructor() {
this.credentials = new Map();
this.loadCredentials();
}
/**
* Load credentials from files or fallback to env vars
*/
private loadCredentials(): void {
const credentialMappings: CredentialMappings = {
GITHUB_TOKEN: {
file: process.env['GITHUB_TOKEN_FILE'] ?? '/run/secrets/github_token',
env: 'GITHUB_TOKEN'
},
ANTHROPIC_API_KEY: {
file: process.env['ANTHROPIC_API_KEY_FILE'] ?? '/run/secrets/anthropic_api_key',
env: 'ANTHROPIC_API_KEY'
},
GITHUB_WEBHOOK_SECRET: {
file: process.env['GITHUB_WEBHOOK_SECRET_FILE'] ?? '/run/secrets/webhook_secret',
env: 'GITHUB_WEBHOOK_SECRET'
}
};
for (const [key, config] of Object.entries(credentialMappings)) {
let value: string | null = null;
// Try to read from file first (most secure)
try {
// eslint-disable-next-line no-sync
if (fs.existsSync(config.file)) {
// eslint-disable-next-line no-sync
value = fs.readFileSync(config.file, 'utf8').trim();
logger.info(`Loaded ${key} from secure file: ${config.file}`);
}
} catch (error) {
const errorMessage = error instanceof Error ? error.message : 'Unknown error';
logger.warn(`Failed to read ${key} from file ${config.file}: ${errorMessage}`);
}
// Fallback to environment variable (less secure)
if (!value && process.env[config.env]) {
value = process.env[config.env] as string;
logger.warn(`Using ${key} from environment variable (less secure)`);
}
if (value) {
this.credentials.set(key, value);
} else {
logger.error(`No credential found for ${key}`);
}
}
}
/**
* Get credential value
*/
get(key: string): string | null {
return this.credentials.get(key) ?? null;
}
/**
* Check if credential exists
*/
has(key: string): boolean {
return this.credentials.has(key);
}
/**
* Get all available credential keys (for debugging)
*/
getAvailableKeys(): string[] {
return Array.from(this.credentials.keys());
}
/**
* Reload credentials (useful for credential rotation)
*/
reload(): void {
this.credentials.clear();
this.loadCredentials();
logger.info('Credentials reloaded');
}
/**
* Add or update a credential programmatically
*/
set(key: string, value: string): void {
this.credentials.set(key, value);
logger.debug(`Credential ${key} updated programmatically`);
}
/**
* Remove a credential
*/
delete(key: string): boolean {
const deleted = this.credentials.delete(key);
if (deleted) {
logger.debug(`Credential ${key} removed`);
}
return deleted;
}
/**
* Get credential count
*/
size(): number {
return this.credentials.size;
}
}
// Create singleton instance
const secureCredentials = new SecureCredentials();
export default secureCredentials;
export { SecureCredentials };
Reference in New Issue View Git Blame Copy Permalink