Patrick Britton c9d8e0c7e6 feat: comprehensive security audit and cleanup

SECURITY CLEANUP COMPLETED

 High Priority - Sensitive Data Removed:
- Delete directus_ecosystem_with_keys.js (contained DB password & API keys)
- Delete directus_ecosystem_updated.js (contained credentials)
- Delete directus_ecosystem_final.js (CRITICAL: real OpenAI API key)
- Delete temp_server.env (complete production secrets)
- Delete check_config.js (API key inspection script)
- Delete extract_keys.ps1/.bat (key extraction scripts)
- Delete fix_database_url.sh (server IP & SSH paths)
- Delete setup_fcm_server.sh (sensitive config procedures)

 Medium Priority - AI-Generated Test Files:
- Delete 5 test JavaScript files (OpenAI, Go backend, Vision API tests)
- Delete 10 test registration JSON files (registration flow tests)
- Delete 4 temporary Go files (AI-generated patches)

 Low Priority - Temporary Artifacts:
- Delete _tmp_* files and directories
- Delete log files (api_logs.txt, web_errors.log, flutter_01.log, log.ini)
- Delete import requests.py (Python test script)

 Files Secured (Legitimate):
- Keep .env file (contains legitimate production secrets)
- Keep production scripts and configuration files
- Keep organized migrations and documentation

 Cleanup Summary:
- 30+ files removed
- Risk level: HIGH  LOW
- No exposed API keys or credentials
- Clean project structure
- Enhanced security posture

 Documentation Added:
- SECURITY_AUDIT_CLEANUP.md - Complete audit report
- SQL_MIGRATION_ORGANIZATION.md - Migration organization guide
- ENHANCED_REGISTRATION_FLOW.md - Registration system docs
- TURNSTILE_INTEGRATION_COMPLETE.md - Security integration docs
- USER_APPEAL_SYSTEM.md - Appeal system documentation

Benefits:
- Eliminated API key exposure
- Removed sensitive server information
- Clean AI-generated test artifacts
- Professional project organization
- Enhanced security practices
- Comprehensive documentation

2026-02-05 09:22:30 -06:00

5.4 KiB

Raw Blame History

Directus CMS Implementation

Overview

Directus CMS is installed and configured for the Sojorn project, providing a headless CMS for content management.

Access Information

URL: https://cms.sojorn.net
Admin Interface: https://cms.sojorn.net/admin
API Endpoint: https://cms.sojorn.net

Server Configuration

Nginx Configuration

The CMS is served via nginx with SSL encryption:

server {
    listen 80;
    server_name cms.sojorn.net;
    return 301 https://cms.sojorn.net;
}

server {
    listen 443 ssl;
    server_name cms.sojorn.net;
    
    ssl_certificate /etc/letsencrypt/live/cms.sojorn.net/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/cms.sojorn.net/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
    
    location / {
        proxy_pass http://localhost:8055;
    }
}

SSL Certificate

Type: Let's Encrypt (auto-renewing)
Domains: cms.sojorn.net
Expiry: 2026-05-06 (89 days from install)
Renewal: Automatic via certbot

Directus Configuration

Environment Variables

KEY='sj_auth_key_replace_me_securely'
DB_CLIENT='pg'
DB_HOST='127.0.0.1'
DB_PORT='5432'
DB_DATABASE='postgres'
DB_USER='postgres'
DB_PASSWORD='A24Zr7AEoch4eO0N'
ADMIN_EMAIL='admin@sojorn.com'
PUBLIC_URL='https://cms.sojorn.net'

Database Connection

Type: PostgreSQL
Host: localhost (127.0.0.1)
Port: 5432
Database: postgres
User: postgres
Password: A24Zr7AEoch4eO0N

Service Management

Directus runs as a background process using npx:

cd ~/directus
KEY='sj_auth_key_replace_me_securely' \
DB_CLIENT='pg' \
DB_HOST='127.0.0.1' \
DB_PORT='5432' \
DB_DATABASE='postgres' \
DB_USER='postgres' \
DB_PASSWORD='A24Zr7AEoch4eO0N' \
ADMIN_EMAIL='admin@sojorn.com' \
PUBLIC_URL='https://cms.sojorn.net' \
npx directus start &

Port Information

Internal Port: 8055
External Access: Via nginx proxy on 443 (HTTPS)
Process: Runs as user patrick

Administration

Initial Setup

Visit https://cms.sojorn.net/admin
Use email: admin@sojorn.com
Set initial password during first login

Process Management Commands

Check if Directus is running

ps aux | grep directus | grep -v grep

Check port status

sudo netstat -tlnp | grep 8055

Start Directus

cd ~/directus
KEY='sj_auth_key_replace_me_securely' DB_CLIENT='pg' DB_HOST='127.0.0.1' DB_PORT='5432' DB_DATABASE='postgres' DB_USER='postgres' DB_PASSWORD='A24Zr7AEoch4eO0N' ADMIN_EMAIL='admin@sojorn.com' PUBLIC_URL='https://cms.sojorn.net' npx directus start &

Stop Directus

pkill -f directus

Restart Directus

pkill -f directus
cd ~/directus
KEY='sj_auth_key_replace_me_securely' DB_CLIENT='pg' DB_HOST='127.0.0.1' DB_PORT='5432' DB_DATABASE='postgres' DB_USER='postgres' DB_PASSWORD='A24Zr7AEoch4eO0N' ADMIN_EMAIL='admin@sojorn.com' PUBLIC_URL='https://cms.sojorn.net' npx directus start &

File Locations

Directus Installation

Directory: /home/patrick/directus/
Configuration: Environment variables (no .env file)
Logs: Console output (no dedicated log file)

Nginx Configuration

Config File: /etc/nginx/sites-available/cms.conf
Enabled: /etc/nginx/sites-enabled/cms.conf
SSL Certs: /etc/letsencrypt/live/cms.sojorn.net/

SSL Certificates

Full Chain: /etc/letsencrypt/live/cms.sojorn.net/fullchain.pem
Private Key: /etc/letsencrypt/live/cms.sojorn.net/privkey.pem

Troubleshooting

Common Issues

502 Bad Gateway

Cause: Directus not running
Fix: Start Directus service using the start command above

Connection Refused

Cause: Port 8055 not accessible
Fix: Check if Directus is running and restart if needed

SSL Certificate Issues

Cause: Certificate expired or misconfigured
Fix: Check certbot status and renew if needed

Log Locations

Nginx Error Log: /var/log/nginx/error.log
Nginx Access Log: /var/log/nginx/access.log
Directus Logs: Console output only

Maintenance

SSL Certificate Renewal

Certificates auto-renew via certbot. To check status:

sudo certbot certificates

Database Backups

Ensure regular PostgreSQL backups are configured for the postgres database.

Updates

Directus shows update notifications in the console. To update:

cd ~/directus
npm update directus

Security Notes

Important

The KEY should be replaced with a secure, randomly generated string for production
The SECRET environment variable should be set for production to persist tokens
Database credentials are stored in environment variables - consider using a .env file for better security

Recommended Improvements

Set a secure SECRET environment variable
Replace the default KEY with a cryptographically secure string
Configure proper logging rotation
Set up monitoring for the Directus process
Implement database backup strategy

API Usage

Once configured, the Directus API is available at:

REST API: https://cms.sojorn.net
GraphQL: https://cms.sojorn.net/graphql
Admin: https://cms.sojorn.net/admin

Integration Notes

The Directus instance is configured to work with the existing Sojorn PostgreSQL database, allowing direct access to application data for content management purposes.

5.4 KiB Raw Blame History

Directus CMS Implementation

Overview

Access Information

Server Configuration

Nginx Configuration

SSL Certificate

Directus Configuration

Environment Variables

Database Connection

Service Management

Port Information

Administration

Initial Setup

Process Management Commands

Check if Directus is running

Check port status

Start Directus

Stop Directus

Restart Directus

File Locations

Directus Installation

Nginx Configuration

SSL Certificates

Troubleshooting

Common Issues

502 Bad Gateway

Connection Refused

SSL Certificate Issues

Log Locations

Maintenance

SSL Certificate Renewal

Database Backups

Updates

Security Notes

Important

Recommended Improvements

API Usage

Integration Notes

5.4 KiB

Raw Blame History