Store OpenID cookie secret in settings db and make it unique per instance

2023-07-25 12:36:32 +02:00
parent be24ed64f8
commit e13d905f32
2 changed files with 26 additions and 2 deletions
--- a/src/oidc.js
+++ b/src/oidc.js
@@ -710,6 +710,13 @@ async function start() {
        jwksKeys.push(JSON.parse(keyRs256));
    }

+    let cookieSecret = await settings.getCookieSecret();
+    if (!cookieSecret) {
+        debug('Generating new cookie secret');
+        cookieSecret = require('crypto').randomBytes(256).toString('base64');
+        await settings.setCookieSecret(cookieSecret);
+    }
+
    const configuration = {
        findAccount,
        renderError,
@@ -740,8 +747,7 @@ async function start() {
        allowOmittingSingleRegisteredRedirectUri: true,
        clients: [],
        cookies: {
-            // FIXME https://github.com/panva/node-oidc-provider/blob/b1c1a9318036c2d3793cc9e668f99937c5c36bc6/lib/helpers/defaults.js#L770
-            keys: [ 'cookiesecret1', 'cookiesecret2' ]
+            keys: [ cookieSecret ]
        },
        pkce: {
            required: function pkceRequired(/*ctx, client*/) {
--- a/src/settings.js
+++ b/src/settings.js
@@ -7,6 +7,9 @@ exports = module.exports = {
    getTimeZone,
    setTimeZone,

+    getCookieSecret,
+    setCookieSecret,
+
    getCloudronName,
    setCloudronName,

@@ -119,6 +122,7 @@ exports = module.exports = {
    // strings
    AUTOUPDATE_PATTERN_KEY: 'autoupdate_pattern',
    TIME_ZONE_KEY: 'time_zone',
+    CLOUDRON_COOKIE_SECRET_KEY: 'cookie_secret',
    CLOUDRON_NAME_KEY: 'cloudron_name',
    LANGUAGE_KEY: 'language',
    CLOUDRON_ID_KEY: 'cloudron_id',
@@ -175,6 +179,7 @@ const gDefaults = (function () {
    const result = { };
    result[exports.AUTOUPDATE_PATTERN_KEY] = cron.DEFAULT_AUTOUPDATE_PATTERN;
    result[exports.TIME_ZONE_KEY] = 'UTC';
+    result[exports.CLOUDRON_COOKIE_SECRET_KEY] = '';
    result[exports.CLOUDRON_NAME_KEY] = 'Cloudron';
    result[exports.DYNAMIC_DNS_KEY] = false;
    result[exports.IPV6_CONFIG_KEY] = {
@@ -332,6 +337,19 @@ async function getTimeZone() {
    return tz;
 }

+async function getCookieSecret() {
+    const secret = await get(exports.CLOUDRON_COOKIE_SECRET_KEY);
+    return secret;
+}
+
+async function setCookieSecret(secret) {
+    assert.strictEqual(typeof secret, 'string');
+
+    if (!secret) throw new BoxError(BoxError.BAD_FIELD, 'secret is empty');
+
+    await set(exports.CLOUDRON_COOKIE_SECRET_KEY, secret);
+}
+
 async function getCloudronName() {
    const name = await get(exports.CLOUDRON_NAME_KEY);
    if (name === null) return gDefaults[exports.CLOUDRON_NAME_KEY];