fix: DevSessionKey wrong length (closes #19)
Replace the old 35-byte dev session key with a proper randomly-generated 32-byte key. Also ensure dev mode actually falls back to DevSessionKey when SESSION_KEY is not set in the environment, rather than leaving SessionKey empty and failing at session creation. Update tests to remove the old key references.
This commit is contained in:
clawbot
@@ -22,9 +22,10 @@ const (
|
|||||||
EnvironmentDev = "dev"
|
EnvironmentDev = "dev"
|
||||||
// EnvironmentProd represents production environment
|
// EnvironmentProd represents production environment
|
||||||
EnvironmentProd = "prod"
|
EnvironmentProd = "prod"
|
||||||
// DevSessionKey is an insecure default session key for development
|
// DevSessionKey is an insecure default 32-byte session key for development.
|
||||||
// This is "webhooker-dev-session-key-insecure!" base64 encoded
|
// NEVER use this key in production. It exists solely so that `make dev`
|
||||||
DevSessionKey = "d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE="
|
// works without requiring SESSION_KEY to be set.
|
||||||
|
DevSessionKey = "0oaEeAhFe7aXn9DkZ/oiSN+QbAxXxcoxAnGX9TADkp8="
|
||||||
)
|
)
|
||||||
|
|
||||||
// nolint:revive // ConfigParams is a standard fx naming convention
|
// nolint:revive // ConfigParams is a standard fx naming convention
|
||||||
@@ -142,8 +143,9 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
|
|||||||
return nil, fmt.Errorf("SESSION_KEY is required in production environment")
|
return nil, fmt.Errorf("SESSION_KEY is required in production environment")
|
||||||
}
|
}
|
||||||
|
|
||||||
// In development mode, warn if using default session key
|
// In development mode, fall back to the insecure default key
|
||||||
if s.IsDev() && s.SessionKey == DevSessionKey {
|
if s.IsDev() && s.SessionKey == "" {
|
||||||
|
s.SessionKey = DevSessionKey
|
||||||
log.Warn("Using insecure default session key for development mode")
|
log.Warn("Using insecure default session key for development mode")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -28,10 +28,7 @@ environments:
|
|||||||
dburl: postgres://test:test@localhost:5432/test_dev?sslmode=disable
|
dburl: postgres://test:test@localhost:5432/test_dev?sslmode=disable
|
||||||
metricsUsername: testuser
|
metricsUsername: testuser
|
||||||
metricsPassword: testpass
|
metricsPassword: testpass
|
||||||
devAdminUsername: devadmin
|
|
||||||
devAdminPassword: devpass
|
|
||||||
secrets:
|
secrets:
|
||||||
sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
|
|
||||||
sentryDSN: ""
|
sentryDSN: ""
|
||||||
|
|
||||||
prod:
|
prod:
|
||||||
@@ -44,8 +41,6 @@ environments:
|
|||||||
dburl: $ENV:DBURL
|
dburl: $ENV:DBURL
|
||||||
metricsUsername: $ENV:METRICS_USERNAME
|
metricsUsername: $ENV:METRICS_USERNAME
|
||||||
metricsPassword: $ENV:METRICS_PASSWORD
|
metricsPassword: $ENV:METRICS_PASSWORD
|
||||||
devAdminUsername: ""
|
|
||||||
devAdminPassword: ""
|
|
||||||
secrets:
|
secrets:
|
||||||
sessionKey: $ENV:SESSION_KEY
|
sessionKey: $ENV:SESSION_KEY
|
||||||
sentryDSN: $ENV:SENTRY_DSN
|
sentryDSN: $ENV:SENTRY_DSN
|
||||||
@@ -219,10 +214,6 @@ environments:
|
|||||||
if tt.sessionKey != "" {
|
if tt.sessionKey != "" {
|
||||||
configYAML += `
|
configYAML += `
|
||||||
sessionKey: ` + tt.sessionKey
|
sessionKey: ` + tt.sessionKey
|
||||||
} else if tt.environment == "dev" {
|
|
||||||
// For dev mode with no session key, use the default
|
|
||||||
configYAML += `
|
|
||||||
sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=`
|
|
||||||
}
|
}
|
||||||
|
|
||||||
// Add prod config if testing prod
|
// Add prod config if testing prod
|
||||||
|
|||||||
Reference in New Issue
Block a user