about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--.envrc4
-rw-r--r--Cargo.lock1
-rw-r--r--Cargo.toml1
-rw-r--r--configuration.nix7
-rw-r--r--src/main.rs9
5 files changed, 18 insertions, 4 deletions
diff --git a/.envrc b/.envrc
index 31d3b45..4fafb8c 100644
--- a/.envrc
+++ b/.envrc
@@ -11,6 +11,6 @@ export BACKEND_URI="postgres://localhost?dbname=kittybox&host=/run/postgresql"
 export JOB_QUEUE_URI="postgres://localhost?dbname=kittybox&host=/run/postgresql"
 export BLOBSTORE_URI=file://./media-store
 export AUTH_STORE_URI=file://./auth-store
-export COOKIE_SECRET=1234567890abcdefghijklmnopqrstuvwxyz
+export COOKIE_KEY="$(dd if=/dev/urandom bs=64 count=1 status=none | base64)"
 # Add DATABASE_URL for `cargo test` invocations
-export DATABASE_URL="postgres://localhost?dbname=kittybox&host=/run/postgresql"
\ No newline at end of file
+export DATABASE_URL="postgres://localhost?dbname=kittybox&host=/run/postgresql"
diff --git a/Cargo.lock b/Cargo.lock
index fb53133..16bbdac 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1622,6 +1622,7 @@ dependencies = [
  "async-trait",
  "axum",
  "axum-extra",
+ "base64 0.21.2",
  "bytes",
  "chrono",
  "clap",
diff --git a/Cargo.toml b/Cargo.toml
index b71ac4e..974bb67 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -105,6 +105,7 @@ tracing-subscriber = { version = "0.3.11", features = ["env-filter", "json"] }
 tower-http = { version = "0.3.3", features = ["trace", "cors", "catch-panic", "sensitive-headers"] }
 tower = { version = "0.4.12", features = ["tracing"] }
 webauthn = { version = "0.4.5", package = "webauthn-rs", features = ["danger-allow-state-serialisation"], optional = true }
+base64 = "0.21.2"
 [dependencies.tokio]
 version = "^1.29.1"
 features = ["full", "tracing"] # TODO determine if my app doesn't need some features
diff --git a/configuration.nix b/configuration.nix
index 5495558..be24ec0 100644
--- a/configuration.nix
+++ b/configuration.nix
@@ -152,7 +152,8 @@ in {
         AUTH_STORE_URI = cfg.authstoreUri;
         JOB_QUEUE_URI = cfg.jobQueueUri;
         RUST_LOG = "${cfg.logLevel}";
-        COOKIE_SECRET_FILE = "${cfg.cookieSecretFile}";
+        # TODO: consider hardening by using systemd credentials
+        COOKIE_KEY_FILE = "${cfg.cookieSecretFile}";
       };
 
       script = ''
@@ -161,6 +162,10 @@ in {
             export KITTYBOX_INTERNAL_TOKEN=$(${pkgs.coreutils}/bin/cat ${cfg.internalTokenFile})
           fi
         ''}
+        if [[ ! -e "$COOKIE_KEY_FILE" ]]; then
+            dd if=/dev/urandom bs=64 count=1 | base64 > "$COOKIE_KEY_FILE"
+        fi
+        export COOKIE_KEY="$(cat "$COOKIE_KEY_FILE")"
         exec ${cfg.package}/bin/kittybox
       '';
 
diff --git a/src/main.rs b/src/main.rs
index 788e765..4af8a81 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -1,3 +1,4 @@
+use base64::Engine;
 use kittybox::{database::Storage, indieauth::backend::AuthBackend, media::storage::MediaStore, webmentions::Webmention, compose_kittybox};
 use tokio::{sync::Mutex, task::JoinSet};
 use std::{env, time::Duration, sync::Arc};
@@ -79,7 +80,13 @@ async fn main() {
         });
 
     // TODO: load from environment
-    let cookie_key = axum_extra::extract::cookie::Key::generate();
+    let cookie_key = axum_extra::extract::cookie::Key::from(&env::var("COOKIE_KEY")
+        .as_deref()
+        .map(|s| base64::prelude::BASE64_STANDARD.decode(s.as_bytes())
+            .expect("Invalid cookie key: must be base64 encoded")
+        )
+        .unwrap()
+    );
 
     let cancellation_token = tokio_util::sync::CancellationToken::new();
     let jobset: Arc<Mutex<JoinSet<()>>> = Default::default();