config: deal with "secret" security hazard

If you provide a default, people WILL use it. It is a security hazard if people use the default private psk to sign auth messages. Flood usuaully has privileges to files. A potential intruder may download files inside Flood and that will lead to arbitrary remote code execution, not to mention rTorrent's rich and powerful script interface. This change makes sure there is NO default and build shall NOT pass before user provides a secret. Bug: Flood-UI/flood#589
jesec · Aug 22, 2020 · d137107 · d137107
1 parent f1bb524
commit d137107
Show file tree

Hide file tree

Showing 7 changed files with 17 additions and 4 deletions.
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run build
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/.github/workflows/check-compiled-i18n.yml b/.github/workflows/check-compiled-i18n.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run check-compiled-i18n
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/.github/workflows/check-source-formatting.yml b/.github/workflows/check-source-formatting.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run check-source-formatting
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/.github/workflows/check-types.yml b/.github/workflows/check-types.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run check-types
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run lint
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/config.docker.js b/config.docker.js
@@ -5,7 +5,8 @@ const CONFIG = {
   floodServerPort: 3000,
   maxHistoryStates: 30,
   pollInterval: 1000 * 5,
-  secret: process.env.FLOOD_SECRET || 'flood',
+  // eslint-disable-next-line no-undef
+  secret: process.env.FLOOD_SECRET || CHANGE_ME,
   scgi: {
     host: process.env.RTORRENT_SCGI_HOST || 'localhost',
     port: process.env.RTORRENT_SCGI_PORT || 5000,

diff --git a/config.template.js b/config.template.js
@@ -51,9 +51,11 @@ const CONFIG = {
   maxHistoryStates: 30,
   // How often (in milliseconds) Flood will request the torrent list from.
   torrentClientPollInterval: 1000 * 2,
-  // A unique secret for signing messages with JWT (see https://jwt.io). Change
-  // this to something unique and hard to guess.
-  secret: 'flood',
+  // A unique secret for signing messages with JWT (see https://jwt.io).
+  // Change this to something unique and hard to guess.
+  // You can use 'uuidgen' or 'cat /proc/sys/kernel/random/uuid' or 'uuidgenerator.net'.
+  // eslint-disable-next-line no-undef
+  secret: process.env.FLOOD_SECRET || CHANGE_ME,
   // Configuration for SSL, if using SSL with the Flood service directly.
   ssl: false,
   sslKey: '/absolute/path/to/key/',