Security Configuration Guide

Environment-based security improvements for the Greyne Middleware system

Quick Start

1. Environment Setup

cp .env.example .env

Copy template and configure with real credentials

2. Configure Credentials

Edit .env file with your actual values (never commit this file)

3. Test Connections

Test All Configurations

4. Security Checklist

  • .env file not committed to git
  • Strong, unique passwords used
  • Credentials rotated regularly

Environment Variables Reference

SFTP Configuration (Dual Warehouse)

# CRS Warehouse SFTP
SFTP_CRS_HOST=crs-sftp-server.com
SFTP_CRS_USER=your_crs_username
SFTP_CRS_PASS=your_crs_password
SFTP_CRS_PORT=22

# Jet Warehouse SFTP  
SFTP_JET_HOST=jet-sftp-server.com
SFTP_JET_USER=your_jet_username
SFTP_JET_PASS=your_jet_password
SFTP_JET_PORT=22

SFTP_DEFAULT_DESTINATION=crs

API & Legacy Systems

# API Integration
API_USERNAME=admin
API_PASSWORD=your_secure_password
API_APP_ID=222

# Legacy FTP (Backup System)
LEGACY_FTP_HOST=your-ftp-server.com
LEGACY_FTP_USER=your_ftp_username
LEGACY_FTP_PASS=your_ftp_password
LEGACY_FTP_DIR=/your/directory/

Fishbowl Database (Future Use)

# Fishbowl Inventory System
FISHBOWL_DB_HOST=198.99.157.64
FISHBOWL_DB_PORT=3870
FISHBOWL_DB_USER=gone
FISHBOWL_DB_PASS=fishing
FISHBOWL_DB_NAME=greynedata

Application Settings

# Core Settings
DEBUG=true
SECURITY_SALT=your-unique-salt-here

# Database (if needed)
DATABASE_URL=mysql://user:pass@host:port/db

Security Issues Fixed

Before (Insecure)

Hardcoded Credentials Found:
  • _con.php: Database credentials
  • CrsController.php: FTP passwords
Risk Level: HIGH
  • Credentials visible in source code
  • Version control exposure
  • No environment separation

During (Migration)

Improvements Made:
  • Environment variable system
  • Secure connection classes
  • Configuration abstractions
Files Created:
  • src/Connection/FishbowlDatabase.php
  • .env.example
  • SECURITY.md
  • Updated config/app_local.php

After (Secure)

Security Achieved:
  • Environment-based configuration
  • No hardcoded secrets
  • Multi-environment support
Risk Level: LOW
  • Credentials in .env only
  • Proper error handling
  • Connection pooling

Usage Examples

SFTP Connections

// OrdersController usage
$sftp = $this->createSftpConnection('crs');  // CRS warehouse
$sftp = $this->createSftpConnection('jet');  // Jet warehouse
$sftp = $this->createSftpConnection();       // Default

// Configuration access
$config = $this->getSftpConfig('crs');
if ($config) {
    echo "Host: " . $config['host'];
}

API Configuration

// Replace hardcoded values
'username' => Configure::read('ApiIntegration.username'),
'password' => Configure::read('ApiIntegration.password'),
'appId' => Configure::read('ApiIntegration.appId')

Fishbowl Database (Future Use)

use App\Connection\FishbowlDatabase;

// Test connection
$result = FishbowlDatabase::testConnection();
if ($result['success']) {
    echo "Connected: " . $result['database'];
}

// Query data
$parts = FishbowlDatabase::query("
    SELECT part.num, part.description 
    FROM part 
    WHERE part.qtyOnHand > 0
");

// Get raw connection
$conn = FishbowlDatabase::getConnection();

Security Best Practices

Do

  • Store sensitive data in .env files
  • Add .env to .gitignore
  • Use different credentials for dev/staging/production
  • Rotate credentials regularly
  • Use strong, unique passwords
  • Test connections before deployment
  • Monitor for credential exposure
  • Use environment-specific configurations

Don't

  • Commit .env files to version control
  • Hardcode credentials in source code
  • Use default/weak passwords
  • Share production credentials in Slack/email
  • Store credentials in database without encryption
  • Log sensitive information
  • Use production credentials in development
  • Ignore security warnings

Tips

  • Use password managers for credential generation
  • Implement credential rotation schedules
  • Monitor access logs for anomalies
  • Document credential ownership
  • Use service accounts for applications
  • Implement connection timeouts
  • Test disaster recovery procedures
  • Review security periodically

Testing & Deployment Checklist

Pre-Deployment

Post-Deployment

Run All Tests
Back to Dashboard Main Documentation Fishbowl Analysis