feat(launchpad): implement secure email hashing for access control

This commit introduces a more secure method for verifying user access to the internal launchpad by hashing email addresses. - Replaces the plain-text email list with SHA-256 hashes. - Adds a script to generate these hashes from `iap-users.txt`. - Updates the launchpad HTML to hash the input email and compare it against the `allowed-hashes.json` file. - Updates Makefile to generate hashes before deploy and serve. - Adds .keep file for krow_client folder.
2026-01-10 11:48:54 -05:00
parent ba938be7ad
commit a5a4eae255
7 changed files with 59 additions and 11 deletions
--- a/scripts/generate-allowed-hashes.js
+++ b/scripts/generate-allowed-hashes.js
@@ -0,0 +1,31 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const INPUT_FILE = path.join(__dirname, '../firebase/internal-launchpad/iap-users.txt');
+const OUTPUT_FILE = path.join(__dirname, '../firebase/internal-launchpad/allowed-hashes.json');
+
+try {
+    const data = fs.readFileSync(INPUT_FILE, 'utf8');
+    const lines = data.split('\n');
+
+    const hashes = lines
+        .map(line => line.trim())
+        .filter(line => line && !line.startsWith('#')) // Ignore empty lines and comments
+        .map(line => line.replace(/^user:/, '').trim().toLowerCase()) // Clean email
+        .map(email => {
+            // Create SHA-256 hash
+            return crypto.createHash('sha256').update(email).digest('hex');
+        });
+
+    const jsonContent = JSON.stringify(hashes, null, 2);
+    fs.writeFileSync(OUTPUT_FILE, jsonContent);
+
+    console.log(`✅ Successfully generated ${hashes.length} secure hashes from iap-users.txt`);
+    console.log(`   Output: ${OUTPUT_FILE}`);
+
+} catch (err) {
+    console.error('❌ Error generating hashes:', err);
+    process.exit(1);
+}
+