Access secrets work on the staging stack after a user makes a change to the prod stack
When a user changes a secret on their account in prod, their profile in staging is not updated until after the next migration. This could be problematic in the case of a leaked secret that must be changed to prevent unauthorized access.
We go through the load balancer (public endpoint), don’t think VPN can help… Somehow we’d have to restrict access at the load balancer while in staging (that’d mean a ‘deploy’ to put it back to normal before going live, which we’ve been trying to avoid). Can we do something internal (and dynamic) in auth so the infra does not need to be touched (akin to ‘read-only’ mode but limiting access to members of a (group of) teams for example)?
Note, this applies to passwords, API keys, and to secrets in general. I think it applies to session tokens. If it applies to OAuth access tokens and personal access tokens then one way to increase their security by requiring that the OIDC issuer (which is different for prod vs. staging) be correct. But again this doesn't fix the problem for p/ws and API keys.
One approach is to reduce the accessibility of staging.synapse.org, e.g. by requiring users go go through the VPN to access the site. (Credit to for the idea.)
What other approaches might we use?