feat: upgrades masking to use env

confesi · Aug 10, 2023 · fce18f9 · fce18f9
1 parent 2662c02
commit fce18f9
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -33,6 +33,10 @@ cat env-example > .env
 
 Open the `.env` file and follow the [link](https://generate-random.org/api-token-generator) to create the `APPCHECK_TOKEN` env variable.
 
+**Ensure you have the correct 16-byte `MASK_SECRET` in the `.env` file.**
+
+An example is provided in the `env-example`, but obviously generate your own for prod.
+
 **Add your AWS data to the `.env` file.**
 
 Specifically what IAM roles are needed will be determined in the future. Currently, a general admin user suffices.

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -36,6 +36,7 @@ services:
       AWS_ACCESS_KEY_ID:
       AWS_SECRET_ACCESS_KEY:
       AWS_REGION:
+      MASK_SECRET:
 
   redis:
       image: redis:alpine

diff --git a/env-example b/env-example
@@ -10,6 +10,9 @@ APPCHECK_TOKEN="kXfeSRgYTnoUztu6MO8FndqiRayoBaJqyDKQmoqvX3V9sZVlep/cm7cP!mgd-B9H
 # either 16, 24, or 32 bytes to select AES-128, AES-192, or AES-256
 HKDF_SECRET="some-secret-string"
 
+# a 16-byte key
+MASK_SECRET="your_16_byte_key"
+
 # to generate a new nonce for production:
 # go run ./scripts/main.go --new-nonce
 CIPHER_NONCE="47363bcf91a1545668f0fd7a"

diff --git a/features/schools/get_ranked.go b/features/schools/get_ranked.go
@@ -120,9 +120,9 @@ func (h *handler) handleGetRankedSchools(c *gin.Context) {
 	if len(ids) > 0 {
 		cleanedIds := make([]string, len(ids))
 		for i, id := range ids {
-			cleanedIds[i] = strings.Trim(id, "{}") // Remove curly braces
+			cleanedIds[i] = strings.Trim(id, "{}") // remove curly braces
 		}
-		idsStr := strings.Join(cleanedIds, ", ") // Convert the cleaned ids slice to a comma-separated string
+		idsStr := strings.Join(cleanedIds, ", ") // convert the cleaned ids slice to a comma-separated string
 		possibleRestriction = "WHERE s.id NOT IN (" + idsStr + ")"
 		fmt.Println(possibleRestriction)
 	}

diff --git a/lib/masking/masking.go b/lib/masking/masking.go
@@ -7,11 +7,20 @@ import (
 	"encoding/base64"
 	"fmt"
 	"io"
+	"os"
 	"strconv"
 )
 
-// todo: .ENV
-var secretKey = []byte("your_16_byte_key")
+var secretKey []byte
+
+func init() {
+	// load from .env
+	m := os.Getenv("MASK_SECRET")
+	if m == "" {
+		panic("MASK_SECRET env not found")
+	}
+	secretKey = []byte(m)
+}
 
 func Mask(id uint) (string, error) {
 	block, err := aes.NewCipher(secretKey)

diff --git a/lib/masking/masking_test.go b/lib/masking/masking_test.go
@@ -7,6 +7,8 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
+// Tests require `MASK_SECRET` env var to be set to pass
+
 func TestUniqueMasksMapToSameID(t *testing.T) {
 	// Test case: Masking the same ID twice should result in different encrypted values
 	id := uint(5)