Security token update (#3128)

* feat: Token re-roll * demo: Placeholder frontpage * Revert "demo: Placeholder frontpage" This reverts commit b7dbc3a. * feat: Token re-roll for slackbot * bug: Added env to playwright url-generation
navikt · Sep 1, 2024 · 7c5538f · 7c5538f
1 parent 2c346a8
commit 7c5538f
Show file tree

Hide file tree

Showing 27 changed files with 59 additions and 213 deletions.
diff --git a/.github/workflows/aksel-dev.yml b/.github/workflows/aksel-dev.yml
@@ -25,10 +25,6 @@ jobs:
 
       - name: add tokens to .env
         run: |
-          echo "SLACK_BOT_TOKEN=${{ secrets.SLACK_BOT_TOKEN }}" >> aksel.nav.no/website/.env
-          echo "SANITY_WRITE_KEY=${{ secrets.SANITY_FEEDBACK_WRITE_KEY }}" >> aksel.nav.no/website/.env
-          echo "SANITY_PREVIEW_TOKEN=${{ secrets.SANITY_PREVIEW_TOKEN }}" >> aksel.nav.no/website/.env
-          echo "SANITY_PRIVATE_NO_DRAFTS=${{ secrets.SANITY_PRIVATE_NO_DRAFTS }}" >> aksel.nav.no/website/.env
           echo "USE_CDN_ASSETS=true" >> aksel.nav.no/website/.env
 
       - name: Hide page from search engines
@@ -39,6 +35,9 @@ jobs:
         run: yarn
 
       - name: Build application
+        env:
+          SANITY_READ: ${{ secrets.SANITY_READ }}
+          SANITY_READ_NO_DRAFTS: ${{ secrets.SANITY_READ_NO_DRAFTS }}
         run: |
           yarn boot
           yarn workspace aksel.nav.no build:next

diff --git a/.github/workflows/aksel-prod.yml b/.github/workflows/aksel-prod.yml
@@ -24,10 +24,6 @@ jobs:
         shell: bash
         run: echo "NPM_AUTH_TOKEN=${{ secrets.READER_TOKEN }}" >> $GITHUB_ENV
 
-      - name: add tokens to .env
-        run: |
-          echo "SANITY_WRITE_KEY=${{ secrets.SANITY_FEEDBACK_WRITE_KEY }}" >> aksel.nav.no/website/.env
-
       - name: Install dependencies
         run: yarn
 
@@ -37,6 +33,8 @@ jobs:
           yarn docgen
 
       - name: Update sanity sync
+        env:
+          SANITY_WRITE: ${{ secrets.SANITY_WRITE }}
         run: yarn workspace aksel.nav.no sanity:update
 
   build_and_deploy:
@@ -59,10 +57,6 @@ jobs:
 
       - name: add tokens to .env
         run: |
-          echo "SLACK_BOT_TOKEN=${{ secrets.SLACK_BOT_TOKEN }}" >> aksel.nav.no/website/.env
-          echo "SANITY_WRITE_KEY=${{ secrets.SANITY_FEEDBACK_WRITE_KEY }}" >> aksel.nav.no/website/.env
-          echo "SANITY_PREVIEW_TOKEN=${{ secrets.SANITY_PREVIEW_TOKEN }}" >> aksel.nav.no/website/.env
-          echo "SANITY_PRIVATE_NO_DRAFTS=${{ secrets.SANITY_PRIVATE_NO_DRAFTS }}" >> aksel.nav.no/website/.env
           echo "USE_CDN_ASSETS=true" >> aksel.nav.no/website/.env
 
       - name: Install dependencies
@@ -75,6 +69,9 @@ jobs:
         run: yarn workspace website test
 
       - name: Build application
+        env:
+          SANITY_READ: ${{ secrets.SANITY_READ }}
+          SANITY_READ_NO_DRAFTS: ${{ secrets.SANITY_READ_NO_DRAFTS }}
         run: yarn workspace aksel.nav.no build:next
 
       - name: Upload static files to NAV CDN

diff --git a/.github/workflows/backup-sanity.yml b/.github/workflows/backup-sanity.yml
@@ -24,7 +24,9 @@ jobs:
         run: cd aksel.nav.no/website && yarn
 
       - name: Export dataset
-        run: cd aksel.nav.no/website && SANITY_PREVIEW_TOKEN=${{secrets.SANITY_DATASET_EDITOR_TOKEN}} yarn backup
+        env:
+          SANITY_READ: ${{ secrets.SANITY_READ }}
+        run: cd aksel.nav.no/website && yarn backup
       - name: Upload GCP bucket
         uses: "google-github-actions/auth@v2"
         with:

diff --git a/.github/workflows/e2e.yml b/.github/workflows/e2e.yml
@@ -24,12 +24,6 @@ jobs:
         shell: bash
         run: echo "NPM_AUTH_TOKEN=${{ secrets.READER_TOKEN }}" >> $GITHUB_ENV
 
-      - name: add tokens to .env
-        run: |
-          echo "SANITY_WRITE_KEY=${{ secrets.SANITY_FEEDBACK_WRITE_KEY }}" >> aksel.nav.no/website/.env
-          echo "SANITY_PREVIEW_TOKEN=${{ secrets.SANITY_PREVIEW_TOKEN }}" >> aksel.nav.no/website/.env
-          echo "SANITY_PRIVATE_NO_DRAFTS=${{ secrets.SANITY_PRIVATE_NO_DRAFTS }}" >> aksel.nav.no/website/.env
-
       - name: Install dependencies
         run: yarn
 
@@ -38,9 +32,15 @@ jobs:
           yarn boot
 
       - name: Build application
+        env:
+          SANITY_READ: ${{ secrets.SANITY_READ }}
+          SANITY_READ_NO_DRAFTS: ${{ secrets.SANITY_READ_NO_DRAFTS }}
         run: yarn workspace aksel.nav.no build:next
 
       - name: Run Playwright tests
+        env:
+          SANITY_READ: ${{ secrets.SANITY_READ }}
+          SANITY_READ_NO_DRAFTS: ${{ secrets.SANITY_READ_NO_DRAFTS }}
         run: yarn workspace website e2e:ci-full
       - uses: actions/upload-artifact@v4
         if: always()

diff --git a/.github/workflows/update-article-views.yml b/.github/workflows/update-article-views.yml
@@ -22,9 +22,7 @@ jobs:
           key: ${{ runner.os }}-build-${{ github.sha }}
           restore-keys: |
             ${{ runner.os }}-build-
-      - name: add tokens to .env
-        run: |
-          echo "SANITY_WRITE_KEY=${{ secrets.SANITY_UTILITY_WRITE }}" >> scripts/article-views/.env
+
       - uses: nais/docker-build-push@v0
         id: docker-push
         with:

diff --git a/aksel.nav.no/README.md b/aksel.nav.no/README.md
@@ -44,18 +44,18 @@ yarn serve:next
 Sanity-datasettet er privat, noe som betyr du må ha tilgang til sanity applikasjonen + følgende token for å få data lokalt:
 
 ```env
-SANITY_PREVIEW_TOKEN
-SANITY_PRIVATE_NO_DRAFTS
+SANITY_READ
+SANITY_READ_NO_DRAFTS
 ```
 
 ### .env
 
-Blir brukt flere keys i .env under `./website`, men kun `SANITY_PRIVATE_NO_DRAFTS` trengs for å teste lokalt
+Blir brukt flere keys i .env under `./website`, men kun `SANITY_READ_NO_DRAFTS` trengs for å teste lokalt
 
-- SANITY_WRITE_KEY:
+- SANITY_WRITE:
   For å sende dokumenter til sanity, brukt til å oppdatere sandboxes/examples/farger. Trengs bare hvis kode skal synkes fra lokal branch/teste feedback-løsning
-- SANITY_PREVIEW_TOKEN: Gir appen tilgang til å lese draft innhold fra sanity i "preview"-mode. Trengs for å teste ikke publiserte-sider
-- SANITY_PRIVATE_NO_DRAFTS: Gir appen tilgang til å lese innhold fra Sanity da datasettet er privat
+- SANITY_READ: Gir appen tilgang til å lese draft innhold fra sanity i "preview"-mode. Trengs for å teste ikke publiserte-sider
+- SANITY_READ_NO_DRAFTS: Gir appen tilgang til å lese innhold fra Sanity da datasettet er privat
 
 ## Backups
 

diff --git a/aksel.nav.no/nais-dev.yaml b/aksel.nav.no/nais-dev.yaml
@@ -6,10 +6,12 @@ metadata:
   labels:
     team: designsystem
 spec:
+  envFrom:
+    - secret: aksel-website-secrets-dev
   image: {{ image }}
   port: 3000
   ingresses:
-    - "https://aksel.ekstern.dev.nav.no"
+    - "https://aksel.ansatt.dev.nav.no"
   liveness:
     path: /api/isAlive
     initialDelay: 10

diff --git a/aksel.nav.no/nais-prod.yaml b/aksel.nav.no/nais-prod.yaml
@@ -6,6 +6,8 @@ metadata:
   labels:
     team: designsystem
 spec:
+  envFrom:
+    - secret: aksel-website-secrets
   image: {{ image }}
   port: 3000
   ingresses:

diff --git a/aksel.nav.no/website/components/utils/slack/fetch-members.ts b/aksel.nav.no/website/components/utils/slack/fetch-members.ts
@@ -22,7 +22,7 @@ export async function fetchSlackMembers(): Promise<
     };
   }
 
-  const client = new WebClient(process.env.SLACK_BOT_TOKEN);
+  const client = new WebClient(process.env.SLACK_BOT_USER_TOKEN);
 
   const pagination: {
     limit: number;

diff --git a/aksel.nav.no/website/e2e/genUrls.ts b/aksel.nav.no/website/e2e/genUrls.ts
@@ -4,7 +4,7 @@ import { sitemapPages } from "../sanity/interface/interface";
 
 dotenv.config();
 
-const token = process.env.SANITY_PRIVATE_NO_DRAFTS;
+const token = process.env.SANITY_READ_NO_DRAFTS;
 
 sitemapPages(token)
   .then((pages) =>

diff --git a/aksel.nav.no/website/middleware.ts b/aksel.nav.no/website/middleware.ts
@@ -42,7 +42,7 @@ export async function middleware(req: NextRequest) {
     );
 
     if (redirect) {
-      const token = process.env.SANITY_WRITE_KEY;
+      const token = process.env.SANITY_WRITE;
       if (token) {
         noCdnClient(token)
           .patch(redirect._id)

diff --git a/aksel.nav.no/website/pages/api/preview.ts b/aksel.nav.no/website/pages/api/preview.ts
@@ -4,7 +4,7 @@ import { clientConfig } from "../../sanity/config";
 
 const previewClient = createClient({
   ...clientConfig,
-  token: process.env.SANITY_PREVIEW_TOKEN,
+  token: process.env.SANITY_READ,
   ignoreBrowserTokenWarning: process.env.NODE_ENV === "test",
 });
 
@@ -37,7 +37,7 @@ export default async function preview(
     return redirectToPreview(res, "/");
   }
 
-  if (!process.env.SANITY_PREVIEW_TOKEN) {
+  if (!process.env.SANITY_READ) {
     return res.status(401).json({ message: "Invalid preview-token" });
   }
 

diff --git a/aksel.nav.no/website/pages/api/preview/draft.ts b/aksel.nav.no/website/pages/api/preview/draft.ts
@@ -7,11 +7,11 @@ import {
   SANITY_PROJECT_ID,
 } from "@/sanity/config";
 
-const token = process.env.SANITY_PREVIEW_TOKEN;
+const token = process.env.SANITY_READ;
 
 if (!token) {
   throw new Error(
-    "A secret is provided but there is no `SANITY_PREVIEW_TOKEN` environment variable setup.",
+    "A secret is provided but there is no `SANITY_READ` environment variable setup.",
   );
 }
 

diff --git a/aksel.nav.no/website/pages/api/slack/feedback/v1/index.ts b/aksel.nav.no/website/pages/api/slack/feedback/v1/index.ts
@@ -32,7 +32,7 @@ const requestBodySchema = z.object({
   }),
 });
 
-const client = new WebClient(process.env.SLACK_BOT_TOKEN);
+const client = new WebClient(process.env.SLACK_BOT_USER_TOKEN);
 
 export default authProtectedApi(sendSlackbotFeedback);
 

diff --git a/aksel.nav.no/website/sanity/interface/client.server.ts b/aksel.nav.no/website/sanity/interface/client.server.ts
@@ -4,7 +4,7 @@ import { clientConfig } from "../config";
 // Set up the client for fetching data in the getProps page functions
 export const sanityClient = createClient({
   ...clientConfig,
-  token: process.env.SANITY_PRIVATE_NO_DRAFTS,
+  token: process.env.SANITY_READ_NO_DRAFTS,
   ignoreBrowserTokenWarning: process.env.NODE_ENV === "test",
   useCdn: true,
 });

diff --git a/aksel.nav.no/website/scripts/backup.js b/aksel.nav.no/website/scripts/backup.js
@@ -2,10 +2,10 @@ import { createClient } from "@sanity/client";
 import exportDataset from "@sanity/export";
 import { clientConfig } from "../sanity/config";
 
-const sanityToken = process.env.SANITY_PREVIEW_TOKEN;
+const sanityToken = process.env.SANITY_READ;
 
 if (!sanityToken) {
-  throw new Error("Could not find token from SANITY_PREVIEW_TOKEN");
+  throw new Error("Could not find token from SANITY_READ");
 }
 
 const client = createClient({

diff --git a/aksel.nav.no/website/scripts/changelog.ts b/aksel.nav.no/website/scripts/changelog.ts
@@ -11,9 +11,9 @@ dotenv.config();
 main();
 
 export async function main() {
-  const token = process.env.SANITY_WRITE_KEY;
+  const token = process.env.SANITY_WRITE;
   if (!token) {
-    throw new Error("Missing token 'SANITY_WRITE_KEY' for updating changelog");
+    throw new Error("Missing token 'SANITY_WRITE' for updating changelog");
   }
   const client = noCdnClient(token);
   const changelog = fs.readFileSync("../../CHANGELOG.md", "utf-8");

diff --git a/aksel.nav.no/website/scripts/create-index.ts b/aksel.nav.no/website/scripts/create-index.ts
@@ -13,10 +13,10 @@ async function main() {
 }
 
 async function createIndex() {
-  const token = process.env.SANITY_PRIVATE_NO_DRAFTS;
+  const token = process.env.SANITY_READ_NO_DRAFTS;
   if (!token) {
     throw new Error(
-      "Missing token 'SANITY_PRIVATE_NO_DRAFTS' for generating searchindex",
+      "Missing token 'SANITY_READ_NO_DRAFTS' for generating searchindex",
     );
   }
   const data = await noCdnClient(token)

diff --git a/aksel.nav.no/website/scripts/generate-rss-feed.tsx b/aksel.nav.no/website/scripts/generate-rss-feed.tsx
@@ -22,10 +22,10 @@ async function generateRssFeed() {
     "slug": slug.current,
   }`;
 
-  const token = process.env.SANITY_PRIVATE_NO_DRAFTS;
+  const token = process.env.SANITY_READ_NO_DRAFTS;
   if (!token) {
     throw new Error(
-      "Missing token 'SANITY_PRIVATE_NO_DRAFTS' when updating RSS-feed",
+      "Missing token 'SANITY_READ_NO_DRAFTS' when updating RSS-feed",
     );
   }
   const bloggposts = await noCdnClient(token).fetch(query);