Update to secure secrets using env

2026-04-26 10:30:41 +00:00 · 2026-01-12 14:59:25 -05:00 · 2026-01-12 14:59:25 -05:00 · 926256b78d
commit 926256b78d
parent 8c8b51790d
5 changed files with 48 additions and 4 deletions
--- a/webui/package.json
+++ b/webui/package.json
@ -50,6 +50,7 @@
  "scripts": {
    "dev": "node server/index.js",
    "build": "next build",
+    "prestart": "node server/ensure-secret.js",
    "start": "NODE_ENV=production node server/index.js"
  }
 }
--- a/webui/server/ensure-secret.js
+++ b/webui/server/ensure-secret.js
@ -0,0 +1,38 @@
+const fs = require('fs');
+const crypto = require('crypto');
+const path = require('path');
+
+const envPath = path.join(__dirname, '../.env');
+
+module.exports = function() {
+    // List of keys we want to ensure exist
+    const keysToEnsure = ['SECRET_KEY', 'JWT_SECRET_KEY'];
+
+    let envContent = '';
+    if (fs.existsSync(envPath)) {
+        envContent = fs.readFileSync(envPath, 'utf8');
+    } else {
+        fs.writeFileSync(envPath, '', 'utf8');
+    }
+
+    keysToEnsure.forEach(key => {
+        // Dynamic Regex: looks for the specific key at the start of a line
+        const regex = new RegExp(`^${key}=(.*)$`, 'm');
+        const match = envContent.match(regex);
+
+        if (match && match[1]) {
+            process.env[key] = match[1].trim();
+            console.log(`--- ${key} loaded from .env ---`);
+        } else {
+            // Key missing: Generate, Set, and Append
+            const newSecret = crypto.randomBytes(32).toString('hex');
+            process.env[key] = newSecret;
+
+            const secretLine = `\n# Generated automatically\n${key}=${newSecret}\n`;
+            fs.appendFileSync(envPath, secretLine, 'utf8');
+            // Update envContent string so the next loop knows this key now exists
+            envContent += secretLine;
+            console.log(`--- Created and stored new unique ${key} ---`);
+        }
+    });
+};
--- a/webui/server/index.js
+++ b/webui/server/index.js
@ -23,7 +23,11 @@ const passport = require('passport');
 const LocalStrategy = require('passport-local').Strategy;

 const csrf = require('lusca').csrf();
-const secret = process.env.SECRET_KEY || 'change-me';
+
+require('./ensure-secret')();
+
+const secret = process.env.SECRET_KEY;
+

 const api = require('./routes');

--- a/webui/server/routes/auth.js
+++ b/webui/server/routes/auth.js
@ -4,7 +4,7 @@ const router = express.Router();
 const passport = require('passport');

 const jwt = require('jsonwebtoken');
-const secret = process.env.JWT_SECRET_KEY || 'change-me';
+const secret = process.env.JWT_SECRET_KEY;

 router.get('/csrf', (req, res) => {
  return res.json({csrfToken: res.locals._csrf});
--- a/webui/server/routes/index.js
+++ b/webui/server/routes/index.js
@ -4,7 +4,8 @@ const db = require('./db')

 const router = express.Router();

-const secret = process.env.JWT_SECRET_KEY || 'change-me';
+const secret = process.env.JWT_SECRET_KEY;
+
 const passport = require('passport');
 const JWTstrategy = require('passport-jwt').Strategy;
 const ExtractJWT = require('passport-jwt').ExtractJwt;
@ -28,4 +29,4 @@ passport.use(
 router.use('/auth', auth);
 router.use('/db', passport.authenticate('jwt', { session: false }), db);

-module.exports = router;
+module.exports = router;