Generate random server secret if not provided from config

2025-10-30 21:40:12 +00:00 · 2021-10-25 00:21:03 +02:00
parent 4e5924d796
commit 94b26a1721
2 changed files with 22 additions and 4 deletions
--- a/modules/restserver/src/main/resources/reference.conf
+++ b/modules/restserver/src/main/resources/reference.conf
@@ -47,8 +47,9 @@ docspell.server {
    # The secret for this server that is used to sign the authenicator
    # tokens. If multiple servers are running, all must share the same
    # secret. You can use base64 or hex strings (prefix with b64: and
-    # hex:, respectively).
-    server-secret = "hex:caffee"
+    # hex:, respectively). If empty, a random secret is generated.
+    # Example: b64:YRx77QujCGkHSvll0TVEmtTaw3Z5eXr+nWMsEJowgKg=
+    server-secret = ""

    # How long an authentication token is valid. The web application
    # will get a new one periodically.
--- a/modules/restserver/src/main/scala/docspell/restserver/ConfigFile.scala
+++ b/modules/restserver/src/main/scala/docspell/restserver/ConfigFile.scala
@@ -6,6 +6,8 @@

 package docspell.restserver

+import java.security.SecureRandom
+
 import cats.Semigroup
 import cats.data.{Validated, ValidatedNec}
 import cats.effect.Async
@@ -20,12 +22,14 @@ import docspell.restserver.auth.OpenId

 import pureconfig._
 import pureconfig.generic.auto._
+import scodec.bits.ByteVector

 object ConfigFile {
+  private[this] val unsafeLogger = org.log4s.getLogger
  import Implicits._

  def loadConfig[F[_]: Async](args: List[String]): F[Config] = {
-    val logger = Logger.log4s(org.log4s.getLogger)
+    val logger = Logger.log4s(unsafeLogger)
    ConfigFactory
      .default[F, Config](logger, "docspell.server")(args)
      .map(cfg => Validate(cfg))
@@ -57,12 +61,25 @@ object ConfigFile {

    def all(cfg: Config) = List(
      duplicateOpenIdProvider(cfg),
-      signKeyVsUserUrl(cfg)
+      signKeyVsUserUrl(cfg),
+      generateSecretIfEmpty(cfg)
    )

    private def valid(cfg: Config): ValidatedNec[String, Config] =
      Validated.validNec(cfg)

+    def generateSecretIfEmpty(cfg: Config): ValidatedNec[String, Config] =
+      if (cfg.auth.serverSecret.isEmpty) {
+        unsafeLogger.warn(
+          "No serverSecret specified. Generating a random one. It is recommended to add a server-secret in the config file."
+        )
+        val random = new SecureRandom()
+        val buffer = new Array[Byte](32)
+        random.nextBytes(buffer)
+        val secret = ByteVector.view(buffer)
+        valid(cfg.copy(auth = cfg.auth.copy(serverSecret = secret)))
+      } else valid(cfg)
+
    def duplicateOpenIdProvider(cfg: Config): ValidatedNec[String, Config] = {
      val dupes =
        cfg.openid