diff options
-rw-r--r-- | .envrc | 4 | ||||
-rw-r--r-- | Cargo.lock | 1 | ||||
-rw-r--r-- | Cargo.toml | 1 | ||||
-rw-r--r-- | configuration.nix | 7 | ||||
-rw-r--r-- | src/main.rs | 9 |
5 files changed, 18 insertions, 4 deletions
diff --git a/.envrc b/.envrc index 31d3b45..4fafb8c 100644 --- a/.envrc +++ b/.envrc @@ -11,6 +11,6 @@ export BACKEND_URI="postgres://localhost?dbname=kittybox&host=/run/postgresql" export JOB_QUEUE_URI="postgres://localhost?dbname=kittybox&host=/run/postgresql" export BLOBSTORE_URI=file://./media-store export AUTH_STORE_URI=file://./auth-store -export COOKIE_SECRET=1234567890abcdefghijklmnopqrstuvwxyz +export COOKIE_KEY="$(dd if=/dev/urandom bs=64 count=1 status=none | base64)" # Add DATABASE_URL for `cargo test` invocations -export DATABASE_URL="postgres://localhost?dbname=kittybox&host=/run/postgresql" \ No newline at end of file +export DATABASE_URL="postgres://localhost?dbname=kittybox&host=/run/postgresql" diff --git a/Cargo.lock b/Cargo.lock index fb53133..16bbdac 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1622,6 +1622,7 @@ dependencies = [ "async-trait", "axum", "axum-extra", + "base64 0.21.2", "bytes", "chrono", "clap", diff --git a/Cargo.toml b/Cargo.toml index b71ac4e..974bb67 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -105,6 +105,7 @@ tracing-subscriber = { version = "0.3.11", features = ["env-filter", "json"] } tower-http = { version = "0.3.3", features = ["trace", "cors", "catch-panic", "sensitive-headers"] } tower = { version = "0.4.12", features = ["tracing"] } webauthn = { version = "0.4.5", package = "webauthn-rs", features = ["danger-allow-state-serialisation"], optional = true } +base64 = "0.21.2" [dependencies.tokio] version = "^1.29.1" features = ["full", "tracing"] # TODO determine if my app doesn't need some features diff --git a/configuration.nix b/configuration.nix index 5495558..be24ec0 100644 --- a/configuration.nix +++ b/configuration.nix @@ -152,7 +152,8 @@ in { AUTH_STORE_URI = cfg.authstoreUri; JOB_QUEUE_URI = cfg.jobQueueUri; RUST_LOG = "${cfg.logLevel}"; - COOKIE_SECRET_FILE = "${cfg.cookieSecretFile}"; + # TODO: consider hardening by using systemd credentials + COOKIE_KEY_FILE = "${cfg.cookieSecretFile}"; }; script = '' @@ -161,6 +162,10 @@ in { export KITTYBOX_INTERNAL_TOKEN=$(${pkgs.coreutils}/bin/cat ${cfg.internalTokenFile}) fi ''} + if [[ ! -e "$COOKIE_KEY_FILE" ]]; then + dd if=/dev/urandom bs=64 count=1 | base64 > "$COOKIE_KEY_FILE" + fi + export COOKIE_KEY="$(cat "$COOKIE_KEY_FILE")" exec ${cfg.package}/bin/kittybox ''; diff --git a/src/main.rs b/src/main.rs index 788e765..4af8a81 100644 --- a/src/main.rs +++ b/src/main.rs @@ -1,3 +1,4 @@ +use base64::Engine; use kittybox::{database::Storage, indieauth::backend::AuthBackend, media::storage::MediaStore, webmentions::Webmention, compose_kittybox}; use tokio::{sync::Mutex, task::JoinSet}; use std::{env, time::Duration, sync::Arc}; @@ -79,7 +80,13 @@ async fn main() { }); // TODO: load from environment - let cookie_key = axum_extra::extract::cookie::Key::generate(); + let cookie_key = axum_extra::extract::cookie::Key::from(&env::var("COOKIE_KEY") + .as_deref() + .map(|s| base64::prelude::BASE64_STANDARD.decode(s.as_bytes()) + .expect("Invalid cookie key: must be base64 encoded") + ) + .unwrap() + ); let cancellation_token = tokio_util::sync::CancellationToken::new(); let jobset: Arc<Mutex<JoinSet<()>>> = Default::default(); |