Protect amoCRM tokens, document data, and generation endpoints.
π README Β· π€ Contributing Β· βοΈ Configuration Β· π Code of Conduct
| Branch | Status |
|---|---|
main |
Supported for security fixes |
| older branches | Not supported |
Never publish or attach these files or values in public issues, pull requests, screenshots, logs, or comments:
| Do not publish | Why |
|---|---|
config/config.php |
Contains integration secrets and deployment paths |
config/token.json |
Contains amoCRM OAuth tokens |
.env |
May contain secrets |
| HMAC secrets | Can authorize requests |
| amoCRM access/refresh tokens | Can access CRM data |
| generated documents | May contain customer data |
| raw customer CRM data | Private business data |
Use config/config.example.php for public examples.
If the report includes secrets, customer data, tokens, or a working exploit path, do not open a public issue.
Send the maintainer a private report through the contact channel listed on the repository profile, or open a minimal public issue that says a private security report is needed without including sensitive details.
Include:
- affected endpoint or component;
- expected vs actual behavior;
- reproduction steps without real credentials;
- suggested severity;
- whether any token, document, or CRM data may be exposed.
Browser generation should use server-issued generate_token values from prefill.php.
HMAC mode is only for trusted server-to-server clients:
| Mode | Intended use |
|---|---|
browser_token |
Browser UI flow |
hmac |
Trusted backend client |
either |
Transitional compatibility |
Never expose hmac_secret in browser JavaScript.
Relevant test areas:
- token validation;
- HMAC secret requirements;
- field ID mapping;
- frontend API path safety;
- cache and note-service behavior.
Run:
.\vendor\bin\phpunit