coilyco-bridge/eco-cycle-prep
1
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity Actions 1

Rotate Configs/Users.eco APIAdminAuthToken before EcoJobsTracker ships to kai-server #3

New issue
Open
opened 2026-05-23 20:54:07 +00:00 by coilysiren · 0 comments
coilysiren commented 2026-05-23 20:54:07 +00:00
Owner
Copy link

Originally filed by @coilysiren on 2026-04-24T06:48:40Z - https://github.com/coilysiren/eco-cycle-prep/issues/3

Configs/Users.eco:APIAdminAuthToken on Kai's local Eco install is currently the literal string coilysiren (her Strange Loop Games username). That's the auth value the EcoJobsTracker mod checks for on X-API-Key headers at GET /api/v1/skills.

Fine for local dev. Not fine to ship to kai-server when the mod DLL gets scp'd there, because:

  1. The SLG username is public (appears on the SLG forum, play.eco profile, mod.io uploads, Steam workshop submissions). Anyone with a web browser and Eco domain familiarity can guess it.
  2. Both git-tracked Configs/Users.eco in eco-configs and the live file on kai-server need to move to a random high-entropy value. The live file lives at /home/kai/Steam/steamapps/common/EcoServer/Configs/Users.eco.
  3. The new value wants to live in SSM as /eco/webserver-api-admin-token (or similar - name it consistent with /eco/server-api-token), and get stamped into the live Configs/Users.eco at server start via the eco-server-pre.sh pattern (same shape as BotToken injection into DiscordLink.eco).
  4. Update /home/kai/.eco or wherever the systemd unit reads secrets from, and pass the new value into any consumer that hits /api/v1/skills (currently eco-spec-tracker via UPSTREAM_API_KEY).

Scope of the rotation:

  • Generate new token (256-bit random hex or base64), store at SSM /eco/webserver-api-admin-token.
  • Update AWS SSM Parameter Inventory in workspace AGENTS.md to list the new param.
  • Add shell logic in eco-server-start.sh (or its coily-verb replacement, see eco-cycle-prep#2) to stamp the SSM value into Configs/Users.eco:APIAdminAuthToken at server boot, same pattern as the BotToken injection already there.
  • Rotate the git-tracked eco-configs/Configs/Users.eco to a placeholder (the live-override pattern), so the repo no longer ships the real token.
  • Update eco-spec-tracker's deploy env (k8s UPSTREAM_API_KEY) to pull from SSM, same fetch pattern as other secrets.
  • Do the rotation the same day the EcoJobsTracker mod goes live on kai-server; before is too early (nothing consumes it), after is a gap.

Filing here because eco-cycle-prep owns Eco ops and the rotation ties into eco-server-start.sh + k8s deploy config; also relevant to eco-cycle-prep#2 (the kai-server migration off infrastructure/).

_Originally filed by @coilysiren on 2026-04-24T06:48:40Z - [https://github.com/coilysiren/eco-cycle-prep/issues/3](https://github.com/coilysiren/eco-cycle-prep/issues/3)_ `Configs/Users.eco:APIAdminAuthToken` on Kai's local Eco install is currently the literal string `coilysiren` (her Strange Loop Games username). That's the auth value the EcoJobsTracker mod checks for on `X-API-Key` headers at `GET /api/v1/skills`. Fine for local dev. Not fine to ship to kai-server when the mod DLL gets scp'd there, because: 1. The SLG username is public (appears on the SLG forum, play.eco profile, mod.io uploads, Steam workshop submissions). Anyone with a web browser and Eco domain familiarity can guess it. 2. Both git-tracked `Configs/Users.eco` in eco-configs and the live file on kai-server need to move to a random high-entropy value. The live file lives at `/home/kai/Steam/steamapps/common/EcoServer/Configs/Users.eco`. 3. The new value wants to live in SSM as `/eco/webserver-api-admin-token` (or similar - name it consistent with `/eco/server-api-token`), and get stamped into the live `Configs/Users.eco` at server start via the eco-server-pre.sh pattern (same shape as `BotToken` injection into `DiscordLink.eco`). 4. Update `/home/kai/.eco` or wherever the systemd unit reads secrets from, and pass the new value into any consumer that hits `/api/v1/skills` (currently eco-spec-tracker via `UPSTREAM_API_KEY`). Scope of the rotation: - [ ] Generate new token (256-bit random hex or base64), store at SSM `/eco/webserver-api-admin-token`. - [ ] Update `AWS SSM Parameter Inventory` in workspace AGENTS.md to list the new param. - [ ] Add shell logic in `eco-server-start.sh` (or its coily-verb replacement, see eco-cycle-prep#2) to stamp the SSM value into `Configs/Users.eco:APIAdminAuthToken` at server boot, same pattern as the `BotToken` injection already there. - [ ] Rotate the git-tracked `eco-configs/Configs/Users.eco` to a placeholder (the live-override pattern), so the repo no longer ships the real token. - [ ] Update eco-spec-tracker's deploy env (k8s `UPSTREAM_API_KEY`) to pull from SSM, same fetch pattern as other secrets. - [ ] Do the rotation the same day the EcoJobsTracker mod goes live on kai-server; before is too early (nothing consumes it), after is a gap. Filing here because eco-cycle-prep owns Eco ops and the rotation ties into eco-server-start.sh + k8s deploy config; also relevant to eco-cycle-prep#2 (the kai-server migration off infrastructure/).
coilysiren added
P1
 and removed
P0
 labels 2026-05-31 06:59:57 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
No results found.
Labels
Clear labels
  
P0
now / blocking / urgent

  
P1
next / important

  
P2
backlog / will do

  
P3
someday / low

  
P4
icebox / frozen / reopen if it becomes real

No labels
P0
P1
P2
P3
P4
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
coilyco-bridge/eco-cycle-prep#3
No description provided.