feat(launchpad): implement secure email hashing for access control

This commit introduces a more secure method for verifying user access to the internal launchpad by hashing email addresses. - Replaces the plain-text email list with SHA-256 hashes. - Adds a script to generate these hashes from `iap-users.txt`. - Updates the launchpad HTML to hash the input email and compare it against the `allowed-hashes.json` file. - Updates Makefile to generate hashes before deploy and serve. - Adds .keep file for krow_client folder.
2026-01-10 11:48:54 -05:00
parent ba938be7ad
commit a5a4eae255
7 changed files with 59 additions and 11 deletions
--- a/4
+++ b/4
@@ -124,11 +124,15 @@ build:

 launchpad-dev:
 	@echo "--> Starting local Launchpad server using Firebase Hosting emulator..."
+	@echo "    - Generating secure email hashes..."
+	@node scripts/generate-allowed-hashes.js
 	@firebase serve --only hosting:launchpad --project=$(FIREBASE_ALIAS)

 # --- Deployment ---
 deploy-launchpad-hosting:
 	@echo "--> Deploying Internal Launchpad to Firebase Hosting..."
+	@echo "    - Generating secure email hashes..."
+	@node scripts/generate-allowed-hashes.js
 	@echo "    - Target: hosting:launchpad"
 	@echo "    - Project: $(FIREBASE_ALIAS)"
 	@firebase deploy --only hosting:launchpad --project=$(FIREBASE_ALIAS)
--- a/firebase.json
+++ b/firebase.json
@@ -11,6 +11,7 @@
      "public": "firebase/internal-launchpad",
      "ignore": [
        "firebase.json",
+        "iap-users.txt",
        "**/.*",
        "**/node_modules/**"
      ]
--- a/firebase/internal-launchpad/allowed-hashes.json
+++ b/firebase/internal-launchpad/allowed-hashes.json
@@ -0,0 +1,5 @@
+[
+  "1b2e22bdec8f6493bf71ee535b6db6b4b5cd2d373f0ffb25524e229f3b5b7f5f",
+  "e075ff357ef35be2d55b0e383d59c5256980c492ada7ab84c84b2bb5ac26a73f",
+  "994b31c1aef3d59fe59bc3b8e1dec860a6fb3c73cbf41bdf45028e2c1ecbcf7a"
+]
--- a/firebase/internal-launchpad/iap-users.txt
+++ b/firebase/internal-launchpad/iap-users.txt
@@ -5,4 +5,10 @@
 # Both internal (@krowwithus.com) and external emails are supported.

 user:admin@krowwithus.com
+
+# External users - Oloodi employees
 user:boris@oloodi.com
+user:achintha.isuru@oloodi.com
+
+# External users - Legendary employees
+
--- a/firebase/internal-launchpad/index.html
+++ b/firebase/internal-launchpad/index.html
@@ -398,19 +398,20 @@

        async function checkAccess(email) {
            try {
-                // Fetch the whitelist
-                const res = await fetch('iap-users.txt');
+                // 1. Fetch the secure list of hashes
+                const res = await fetch('allowed-hashes.json');
                if (!res.ok) return false;
-                const text = await res.text();
+                const allowedHashes = await res.json();
                
-                // Parse lines
-                const lines = text.split('\n');
-                const allowedEmails = lines
-                    .map(line => line.trim())
-                    .filter(line => line && !line.startsWith('#'))
-                    .map(line => line.replace(/^user:/, '').trim());
+                // 2. Hash the user's email (SHA-256)
+                const normalizedEmail = email.trim().toLowerCase();
+                const msgBuffer = new TextEncoder().encode(normalizedEmail);
+                const hashBuffer = await crypto.subtle.digest('SHA-256', msgBuffer);
+                const hashArray = Array.from(new Uint8Array(hashBuffer));
+                const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');

-                return allowedEmails.includes(email);
+                // 3. Compare
+                return allowedHashes.includes(hashHex);
            } catch (e) {
                console.error("Failed to check access list:", e);
                return false;
--- a/mobile-apps/apps/krow_client/.keep
+++ b/mobile-apps/apps/krow_client/.keep
--- a/scripts/generate-allowed-hashes.js
+++ b/scripts/generate-allowed-hashes.js
@@ -0,0 +1,31 @@
+const fs = require('fs');
+const path = require('path');
+const crypto = require('crypto');
+
+const INPUT_FILE = path.join(__dirname, '../firebase/internal-launchpad/iap-users.txt');
+const OUTPUT_FILE = path.join(__dirname, '../firebase/internal-launchpad/allowed-hashes.json');
+
+try {
+    const data = fs.readFileSync(INPUT_FILE, 'utf8');
+    const lines = data.split('\n');
+
+    const hashes = lines
+        .map(line => line.trim())
+        .filter(line => line && !line.startsWith('#')) // Ignore empty lines and comments
+        .map(line => line.replace(/^user:/, '').trim().toLowerCase()) // Clean email
+        .map(email => {
+            // Create SHA-256 hash
+            return crypto.createHash('sha256').update(email).digest('hex');
+        });
+
+    const jsonContent = JSON.stringify(hashes, null, 2);
+    fs.writeFileSync(OUTPUT_FILE, jsonContent);
+
+    console.log(`✅ Successfully generated ${hashes.length} secure hashes from iap-users.txt`);
+    console.log(`   Output: ${OUTPUT_FILE}`);
+
+} catch (err) {
+    console.error('❌ Error generating hashes:', err);
+    process.exit(1);
+}
+