refactor: auto-generate session key and store in database
All checks were successful
check / check (push) Successful in 57s
All checks were successful
check / check (push) Successful in 57s
Remove SESSION_KEY env var requirement. On first startup, a cryptographically secure 32-byte key is generated and stored in a new settings table. Subsequent startups load the key from the database. - Add Setting model (key-value table) for application config - Add Database.GetOrCreateSessionKey() method - Session manager initializes in OnStart after database is connected - Remove DevSessionKey constant and SESSION_KEY env var handling - Remove prod validation requiring SESSION_KEY - Update README: config table, Docker instructions, security notes - Update config.yaml.example - Update all tests to remove SessionKey references Addresses owner feedback on issue #15.
This commit is contained in:
@@ -22,10 +22,6 @@ const (
|
||||
EnvironmentDev = "dev"
|
||||
// EnvironmentProd represents production environment
|
||||
EnvironmentProd = "prod"
|
||||
// DevSessionKey is an insecure default 32-byte session key for development.
|
||||
// NEVER use this key in production. It exists solely so that `make dev`
|
||||
// works without requiring SESSION_KEY to be set.
|
||||
DevSessionKey = "0oaEeAhFe7aXn9DkZ/oiSN+QbAxXxcoxAnGX9TADkp8="
|
||||
)
|
||||
|
||||
// nolint:revive // ConfigParams is a standard fx naming convention
|
||||
@@ -46,7 +42,6 @@ type Config struct {
|
||||
MetricsUsername string
|
||||
Port int
|
||||
SentryDSN string
|
||||
SessionKey string
|
||||
params *ConfigParams
|
||||
log *slog.Logger
|
||||
}
|
||||
@@ -126,7 +121,6 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
|
||||
MetricsPassword: envString("METRICS_PASSWORD", "metricsPassword"),
|
||||
Port: envInt("PORT", "port", 8080),
|
||||
SentryDSN: envSecretString("SENTRY_DSN", "sentryDSN"),
|
||||
SessionKey: envSecretString("SESSION_KEY", "sessionKey"),
|
||||
log: log,
|
||||
params: ¶ms,
|
||||
}
|
||||
@@ -145,17 +139,6 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
|
||||
return nil, fmt.Errorf("database URL (DBURL) is required")
|
||||
}
|
||||
|
||||
// In production, require session key
|
||||
if s.IsProd() && s.SessionKey == "" {
|
||||
return nil, fmt.Errorf("SESSION_KEY is required in production environment")
|
||||
}
|
||||
|
||||
// In development mode, fall back to the insecure default key
|
||||
if s.IsDev() && s.SessionKey == "" {
|
||||
s.SessionKey = DevSessionKey
|
||||
log.Warn("Using insecure default session key for development mode")
|
||||
}
|
||||
|
||||
if s.Debug {
|
||||
params.Logger.EnableDebugLogging()
|
||||
}
|
||||
@@ -168,7 +151,6 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
|
||||
"maintenanceMode", s.MaintenanceMode,
|
||||
"developmentMode", s.DevelopmentMode,
|
||||
"dataDir", s.DataDir,
|
||||
"hasSessionKey", s.SessionKey != "",
|
||||
"hasSentryDSN", s.SentryDSN != "",
|
||||
"hasMetricsAuth", s.MetricsUsername != "" && s.MetricsPassword != "",
|
||||
)
|
||||
|
||||
@@ -42,7 +42,6 @@ environments:
|
||||
metricsUsername: $ENV:METRICS_USERNAME
|
||||
metricsPassword: $ENV:METRICS_PASSWORD
|
||||
secrets:
|
||||
sessionKey: $ENV:SESSION_KEY
|
||||
sentryDSN: $ENV:SENTRY_DSN
|
||||
|
||||
configDefaults:
|
||||
@@ -81,11 +80,10 @@ func TestEnvironmentConfig(t *testing.T) {
|
||||
isProd: false,
|
||||
},
|
||||
{
|
||||
name: "explicit prod with session key",
|
||||
name: "explicit prod",
|
||||
envValue: "prod",
|
||||
envVars: map[string]string{
|
||||
"SESSION_KEY": "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
|
||||
"DBURL": "postgres://prod:prod@localhost:5432/prod?sslmode=require",
|
||||
"DBURL": "postgres://prod:prod@localhost:5432/prod?sslmode=require",
|
||||
},
|
||||
expectError: false,
|
||||
isDev: false,
|
||||
@@ -152,138 +150,3 @@ func TestEnvironmentConfig(t *testing.T) {
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
func TestSessionKeyDefaults(t *testing.T) {
|
||||
tests := []struct {
|
||||
name string
|
||||
environment string
|
||||
sessionKey string
|
||||
dburl string
|
||||
expectError bool
|
||||
expectedKey string
|
||||
}{
|
||||
{
|
||||
name: "dev mode with default session key",
|
||||
environment: "dev",
|
||||
sessionKey: "",
|
||||
expectError: false,
|
||||
expectedKey: DevSessionKey,
|
||||
},
|
||||
{
|
||||
name: "dev mode with custom session key",
|
||||
environment: "dev",
|
||||
sessionKey: "Y3VzdG9tLXNlc3Npb24ta2V5LTMyLWJ5dGVzLWxvbmchIQ==",
|
||||
expectError: false,
|
||||
expectedKey: "Y3VzdG9tLXNlc3Npb24ta2V5LTMyLWJ5dGVzLWxvbmchIQ==",
|
||||
},
|
||||
{
|
||||
name: "prod mode with no session key fails",
|
||||
environment: "prod",
|
||||
sessionKey: "",
|
||||
dburl: "postgres://prod:prod@localhost:5432/prod",
|
||||
expectError: true,
|
||||
},
|
||||
{
|
||||
name: "prod mode with session key succeeds",
|
||||
environment: "prod",
|
||||
sessionKey: "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
|
||||
dburl: "postgres://prod:prod@localhost:5432/prod",
|
||||
expectError: false,
|
||||
expectedKey: "cHJvZC1zZXNzaW9uLWtleS0zMi1ieXRlcy1sb25nISE=",
|
||||
},
|
||||
}
|
||||
|
||||
for _, tt := range tests {
|
||||
t.Run(tt.name, func(t *testing.T) {
|
||||
// Create in-memory filesystem with test config
|
||||
fs := afero.NewMemMapFs()
|
||||
|
||||
// Create custom config for session key tests
|
||||
configYAML := `
|
||||
environments:
|
||||
dev:
|
||||
config:
|
||||
environment: dev
|
||||
developmentMode: true
|
||||
dburl: postgres://test:test@localhost:5432/test_dev
|
||||
secrets:`
|
||||
|
||||
// Only add sessionKey line if it's not empty
|
||||
if tt.sessionKey != "" {
|
||||
configYAML += `
|
||||
sessionKey: ` + tt.sessionKey
|
||||
}
|
||||
|
||||
// Add prod config if testing prod
|
||||
if tt.environment == "prod" {
|
||||
configYAML += `
|
||||
prod:
|
||||
config:
|
||||
environment: prod
|
||||
developmentMode: false
|
||||
dburl: $ENV:DBURL
|
||||
secrets:
|
||||
sessionKey: $ENV:SESSION_KEY`
|
||||
}
|
||||
|
||||
require.NoError(t, afero.WriteFile(fs, "config.yaml", []byte(configYAML), 0644))
|
||||
pkgconfig.SetFs(fs)
|
||||
|
||||
// Clean up any existing env vars
|
||||
os.Unsetenv("WEBHOOKER_ENVIRONMENT")
|
||||
os.Unsetenv("SESSION_KEY")
|
||||
os.Unsetenv("DBURL")
|
||||
|
||||
// Set environment variables
|
||||
os.Setenv("WEBHOOKER_ENVIRONMENT", tt.environment)
|
||||
defer os.Unsetenv("WEBHOOKER_ENVIRONMENT")
|
||||
|
||||
if tt.sessionKey != "" && tt.environment == "prod" {
|
||||
os.Setenv("SESSION_KEY", tt.sessionKey)
|
||||
defer os.Unsetenv("SESSION_KEY")
|
||||
}
|
||||
|
||||
if tt.dburl != "" {
|
||||
os.Setenv("DBURL", tt.dburl)
|
||||
defer os.Unsetenv("DBURL")
|
||||
}
|
||||
|
||||
if tt.expectError {
|
||||
// Use regular fx.New for error cases
|
||||
var cfg *Config
|
||||
app := fx.New(
|
||||
fx.NopLogger, // Suppress fx logs in tests
|
||||
fx.Provide(
|
||||
globals.New,
|
||||
logger.New,
|
||||
New,
|
||||
),
|
||||
fx.Populate(&cfg),
|
||||
)
|
||||
assert.Error(t, app.Err())
|
||||
} else {
|
||||
// Use fxtest for success cases
|
||||
var cfg *Config
|
||||
app := fxtest.New(
|
||||
t,
|
||||
fx.Provide(
|
||||
globals.New,
|
||||
logger.New,
|
||||
New,
|
||||
),
|
||||
fx.Populate(&cfg),
|
||||
)
|
||||
require.NoError(t, app.Err())
|
||||
app.RequireStart()
|
||||
defer app.RequireStop()
|
||||
|
||||
if tt.environment == "dev" && tt.sessionKey == "" {
|
||||
// Dev mode with no session key uses default
|
||||
assert.Equal(t, DevSessionKey, cfg.SessionKey)
|
||||
} else {
|
||||
assert.Equal(t, tt.expectedKey, cfg.SessionKey)
|
||||
}
|
||||
}
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user