Browse Source

prevent JWT secret showing in process list

main
forest 2 months ago
parent
commit
a19bf08a20
5 changed files with 12 additions and 9 deletions
  1. +1
    -2
      Makefile
  2. +3
    -2
      cmd/webmentiond/serve.go
  3. +6
    -4
      docs/configuration.md
  4. +1
    -1
      docs/getting-started.md
  5. +1
    -0
      envrc-dist

+ 1
- 2
Makefile View File

@ -35,7 +35,6 @@ docker:
run: bin/webmentiond
./bin/webmentiond serve \
--addr localhost:8080 \
--auth-jwt-secret testsecret \
--auth-admin-emails $(AUTH_ADMIN_EMAILS) \
--allowed-target-domains $(ALLOWED_TARGET_DOMAINS)
@ -46,11 +45,11 @@ run-docker:
-e "MAIL_HOST=$(MAIL_HOST)" \
-e "MAIL_PASSWORD=$(MAIL_PASSWORD)" \
-e "MAIL_FROM=no-reply@zerokspot.com" \
-e "AUTH_JWT_SECRET=testsecret" \
-v $(PWD)/data:/data \
-p 8080:8080 \
zerok/webmentiond:latest \
--addr 0.0.0.0:8080 \
--auth-jwt-secret testsecret \
--auth-admin-emails $(AUTH_ADMIN_EMAILS) \
--allowed-target-domains $(ALLOWED_TARGET_DOMAINS)


+ 3
- 2
cmd/webmentiond/serve.go View File

@ -24,6 +24,7 @@ type dbPolicyLoader struct {
db *sql.DB
}
// blah
func (l *dbPolicyLoader) Load(ctx context.Context) ([]policies.URLPolicy, error) {
result, err := l.db.QueryContext(ctx, "SELECT id, url_pattern, policy, weight FROM url_policies ORDER BY weight ASC")
if err != nil {
@ -178,6 +179,8 @@ func newServeCmd() Command {
cfg.BindEnv("email.from", "MAIL_FROM")
cfg.BindEnv("email.no_tls", "MAIL_NO_TLS")
cfg.BindEnv("server.auth_jwt_secret", "AUTH_JWT_SECRET")
serveCmd.Flags().String("database", "./webmentiond.sqlite", "Path to a SQLite database file")
cfg.BindPFlag("database.path", serveCmd.Flags().Lookup("database"))
serveCmd.Flags().String("database-migrations", "./pkg/server/migrations", "Path to the database migrations")
@ -198,8 +201,6 @@ func newServeCmd() Command {
serveCmd.Flags().String("ui-path", "./frontend", "Path which should be served as /ui/")
cfg.BindPFlag("server.ui_path", serveCmd.Flags().Lookup("ui-path"))
serveCmd.Flags().String("auth-jwt-secret", "", "Secret used to sign and verify JWTs generated by the server")
cfg.BindPFlag("server.auth_jwt_secret", serveCmd.Flags().Lookup("auth-jwt-secret"))
serveCmd.Flags().DurationVar(&tokenTTL, "auth-jwt-ttl", time.Hour*24*7, "TTL of the generated JWTs")
cfg.BindPFlag("server.auth_jwt_ttl", serveCmd.Flags().Lookup("auth-jwt-ttl"))
serveCmd.Flags().StringSlice("auth-admin-emails", []string{}, "All e-mail addresses that can gain admin-access")


+ 6
- 4
docs/configuration.md View File

@ -98,13 +98,15 @@ Default: `false`
## Authentication settings
### `--auth-jwt-secret SECRET` (flag)
### `AUTH_JWT_SECRET` (environment)
When you log into the administration UI the server generates a little token for
you and signs it. The secret is necessary for that signing step. What the
secret looks like, though, is completely up to you. Just take any random but
long string (e.g. `52ba8240-b926-11ea-9e38-73b2d46d3547` or
`this-is-a-r3411y-long-PassPhrase-Th4t5_hard-to-GuEsS`).
secret looks like, though, is completely up to you.
E.g.: `this-is-a-r3411y-long-PassPhrase-Th4t5_hard-to-GuEsS`
### `--auth-jwt-ttl DURATION` (flag)


+ 1
- 1
docs/getting-started.md View File

@ -29,11 +29,11 @@ $ docker run --rm \
-e "MAIL_HOST=${MAIL_HOST}" \
-e "MAIL_PASSWORD=${MAIL_PASSWORD}" \
-e "MAIL_FROM=${MAIL_FROM}" \
-e "AUTH_JWT_SECRET=${AUTH_JWT_SECRET}" \
-v ${PWD}/data:/data \
-p 8080:8080 \
zerok/webmentiond:latest \
--addr 0.0.0.0:8080 \
--auth-jwt-secret ${AUTH_JWT_SECRET} \
--auth-admin-emails ${AUTH_ADMIN_MAILS} \
--allowed-target-domains ${ALLOWED_TARGET_DOMAINS}
```


+ 1
- 0
envrc-dist View File

@ -1,3 +1,4 @@
export AUTH_JWT_SECRET=testsecret
export MAIL_HOST=smtp.mailgun.org
export MAIL_PORT=465
export MAIL_USER=postmaster@something.mailgun.org


Loading…
Cancel
Save