Skip to content

[Fix] Give Discord its own gateway secret (Telegram-style)#409

Merged
mrubens merged 6 commits into
developfrom
fix/discord-gateway-secret-isolation-1rbmx2bxz1j88
Jul 16, 2026
Merged

[Fix] Give Discord its own gateway secret (Telegram-style)#409
mrubens merged 6 commits into
developfrom
fix/discord-gateway-secret-isolation-1rbmx2bxz1j88

Conversation

@roomote-roomote

@roomote-roomote roomote-roomote Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Opened on behalf of Matt Rubens. Follow up by mentioning @roomote-roomote, in the web UI, or in Slack.

Related issue

Security hardening from P1 Discord gateway auth review (no public issue link).

Why this PR exists

  • A maintainer explicitly invited this PR in the linked issue or discussion
  • I am a maintainer / this is internal Roomote work

What changed

Discord gateway↔API auth uses only a dedicated R_DISCORD_GATEWAY_SECRET.

  • API + Discord gateway resolve that secret from process env or the encrypted deployment vault
  • Saving Discord credentials auto-generates the secret when missing (Telegram-style)
  • Gateway polls for the secret and starts/restarts delivery when it appears (no BullMQ restart required after first Discord save)
  • Local development writes one shared default into process.env so API and gateway match
  • Installers, upgrades, and deploy templates generate and share the secret for env-only fleets
  • Operator docs require the gateway secret to be dedicated (not ENCRYPTION_KEY)
  • Timing-safe compare is unchanged

Why this change was made

Gateway event injection and secret-at-rest protection should not share a key. A dedicated transport secret is generated when Discord is configured, matching how Telegram already handles its webhook secret.

Impact

  • New Discord UI saves create a dedicated transport secret automatically and can begin forwarding without a service restart
  • Manual env setups are told not to reuse the vault key
  • Env-only deployments get the secret from install/upgrade/template paths

How it was tested

  • Discord auth + gateway unit tests
  • Pre-push suite on push

Checklist

  • The PR title follows the repo convention
  • This PR is small and scoped to one change
  • pnpm lint and pnpm check-types pass locally
  • I added tests or included a clear manual validation note above
  • I removed secrets, tokens, private keys, and customer data from code, logs, and screenshots
  • If this change should appear in the changelog, I ran pnpm changeset

Stop Discord gateway↔API auth from falling back to ENCRYPTION_KEY in
production-like environments, wire a dedicated secret into deploy
templates/installer, and cover the new contract with tests.
@roomote-roomote

roomote-roomote Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

No new code issues found. See task

  • High: Preserve Discord forwarding on supported upgrades
  • Medium: Add the gateway secret to the manual Production Compose setup
  • Medium: Restore the distinct-key requirement in operator docs
  • High: Retry the generated gateway secret after UI configuration
  • Medium: Use one local-development secret source in API and BullMQ
  • Medium: Do not restart delivery after leadership is lost — fixed in c83aeaf (lease checks around delivery restart + early poll exit)

Reviewed c83aeaf

@roomote-roomote

roomote-roomote Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor Author

Addressed the open leadership race in c83aeaf:

  • ensureDeliveryLoop re-checks leaseValid / stopped after any await and before starting a new forwarder
  • the credential poll exits early once the lease is lost so a former leader cannot spawn concurrent delivery while shutting down

No review threads to resolve (feedback lived in the top-level summary checklist).

mrubens added 2 commits July 16, 2026 04:34
Ensure host and deploy-script upgrades mint R_DISCORD_GATEWAY_SECRET when
missing, document one-time PaaS secret wiring, and include the secret in
manual Production Compose generation steps.
Drop all ENCRYPTION_KEY fallbacks for Discord gateway auth. Mint
R_DISCORD_GATEWAY_SECRET on Discord save when missing, resolve it from
process env or the deployment vault on API and gateway, and supply a
local-development default so pnpm dev still works without vault reuse.
@roomote-roomote roomote-roomote Bot changed the title [Fix] Discord gateway auth no longer reuses the encryption key outside local development [Fix] Discord gateway auth no longer reuses the encryption key Jul 16, 2026
Rewrite comments and ops notes to describe R_DISCORD_GATEWAY_SECRET on its
own terms without referring to the removed encryption-key fallback.
@roomote-roomote roomote-roomote Bot changed the title [Fix] Discord gateway auth no longer reuses the encryption key [Fix] Give Discord its own gateway secret (Telegram-style) Jul 16, 2026
@mrubens mrubens marked this pull request as ready for review July 16, 2026 04:48
mrubens added 2 commits July 16, 2026 05:38
Re-check R_DISCORD_GATEWAY_SECRET each credential poll so UI-saved secrets
start delivery without a BullMQ restart. Write the local-development
default into process.env so API and gateway share it, and restore the
operator guidance to keep the gateway secret distinct from ENCRYPTION_KEY.
ensureDeliveryLoop re-checks leadership after awaits and the credential
poll exits early once the lease is invalid so a former leader cannot
spawn a concurrent forwarder while shutting down.
@mrubens mrubens merged commit ea8de6e into develop Jul 16, 2026
18 checks passed
@mrubens mrubens deleted the fix/discord-gateway-secret-isolation-1rbmx2bxz1j88 branch July 16, 2026 05:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant