Security Hardening and Rotation
Security Baseline
Section titled “Security Baseline”Production deployments should have:
- HTTPS for all user traffic.
- PostgreSQL, Redis, management gRPC, and metrics not exposed publicly.
- Root password, JWT secret, OPAQUE setup secret, credential encryption key, and cluster secret managed in a Secret Manager or Kubernetes Secret.
- No default weak secrets.
- Database and secrets backed up and restored together.
- Metrics restricted by source or authentication.
Secret Classes
Section titled “Secret Classes”| Secret | Impact if lost | Rotation difficulty | Handling |
|---|---|---|---|
jwt.secret | Existing tokens become invalid | Medium | Plan rotation and expect re-login |
security.opaque_server_setup_secret | OPAQUE password records may fail | High | Do not routinely rotate; back it up |
security.credential_encryption_key | Encrypted Provider credentials cannot be decrypted | High | Migrate credentials before replacement |
cluster.secret | Node-to-node auth fails | Medium | Coordinate all replicas |
management.auth_token | CLI/management TCP auth | Low | Rotate regularly if TCP is used |
metrics.auth.bearer_token | Metrics scrape auth | Low | Sync monitoring config |
| SMTP/OAuth2/Provider credentials | Email, login, or media failures | Medium | Follow upstream rotation policy |
Pre-rotation Checklist
Section titled “Pre-rotation Checklist”- Back up PostgreSQL, config files, and all production secrets.
- Identify the target and blast radius: login, Provider credentials, cluster, management, or metrics.
- Validate in a production-like test environment.
- Prepare rollback: old secret, old config, old image, or database backup.
- Notify users if re-login or Provider rebind may be required.
- Rotate during a quiet window and watch login failures, Provider decrypt errors, and WebSocket reconnects.
Common Rotation Flows
Section titled “Common Rotation Flows”- Generate a new secret.
- Update secret storage.
- Restart all SyncTV replicas.
- Expect old access and refresh tokens to fail.
- Watch
401, login success rate, and WebSocket reconnects.
- Generate a new token.
- Update
management.auth_tokenor_file. - Restart the relevant service entry.
- Update CLI environment or Secret.
- Validate with
synctv system stats.
- Generate a new bearer token.
- Update SyncTV metrics config.
- Update Prometheus, ServiceMonitor, or scraper Secret.
- Verify old token fails and new token succeeds.
- Prepare a maintenance window.
- Ensure all replicas will use the same new value.
- Roll or restart replicas; node-to-node failures may occur during the transition.
- Watch heartbeat, Redis pub/sub, and cross-node WebSocket events.
Credential Encryption Key Migration
Section titled “Credential Encryption Key Migration”If security.credential_encryption_key must change, do not simply replace it and start the service. A safe flow is:
- Back up the database and old key.
- Stop writes to Provider credentials.
- Decrypt existing Provider credentials with the old key.
- Encrypt them with the new key and write them back.
- Update configuration to the new key.
- Start SyncTV and verify Provider login, browse, and playback.
If no migration tool exists, keep the old key or delete and recreate affected Provider credentials.
OPAQUE Setup Secret
Section titled “OPAQUE Setup Secret”The OPAQUE setup secret is a long-lived server secret for password authentication. Do not rotate it unless you have an account password migration or forced reset plan.
If it leaks:
- Assess scope immediately.
- Force password reset or OPAQUE record recreation.
- Rotate JWT secret and clear sessions.
- Keep audit records and an incident timeline.
Hardening Checklist
Section titled “Hardening Checklist”| Item | Action |
|---|---|
| TLS | Public traffic only over HTTPS/WSS |
| CORS | Allow only real frontend origins, no path |
| Trusted proxy | Trust only actual reverse proxy addresses |
| Rate limits | Configure login, verification, WebSocket, and API limits |
| WebAuthn | Match rp_origin to real HTTPS origin |
| OAuth2 | Exact redirect URL and Redis-backed state |
| Provider | Encrypt credentials; no tokens in sourceConfig |
| Logs | JSON logs without secrets, cookies, or JWTs |
| Metrics | No public exposure; use bearer or platform auth |
| Backups | Back up and restore database and secrets together |