b135f11557
Security (P0): - Remove committed session-secret default; auto-generate and persist a random secret to the config volume when SESSION_SECRET is unset (prevents forgeable session cookies / auth bypass). - Validate playlist names to a safe charset and render sldl configs via literal Python substitution instead of sed (closes a command-injection and path-traversal path through playlist names). - shlex-quote credential values written to shell-sourced env files, and strip newlines from values patched into .conf files. - Render playlist .conf files 0600; warn at startup if the master key is co-located with the config volume; document keeping it separate. Portability: - Configurable timezone via TZ (default UTC) instead of hardcoded Edmonton. - Remove personal defaults (navidrome user "andrew", ephemeral.club URLs). - Ship generic example seeds; move the cross-album dedup keep-list and the legacy playlist import to editable config files; drop the personal _upgrade.csv. - Generic VPN reference in docker-compose.snippet.yml. First-run experience: - Redirect to /setup instead of 500 when OIDC is unconfigured; surface a missing master key inline; entrypoint exits with an actionable message when the config folder is not writable. - Add unauthenticated /health (JSON) and /setup (checklist) diagnostics. Docs: - Write docs/ARCHITECTURE.md and docs/MIGRATION.md (previously referenced but missing); expand README with ownership, backups, advanced settings, and migration guidance. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
38 lines
1.3 KiB
Python
38 lines
1.3 KiB
Python
import secrets
|
|
|
|
from app.settings import settings
|
|
|
|
# A leftover from an earlier build that shipped this as the default. Still
|
|
# rejected explicitly so anyone who copied it into their env doesn't end up
|
|
# with a publicly-known signing key.
|
|
_KNOWN_PLACEHOLDER = "changeme-dev-only-override-in-production"
|
|
|
|
|
|
def resolve_session_secret() -> str:
|
|
"""Return the secret used to sign session cookies.
|
|
|
|
Preference order:
|
|
1. SESSION_SECRET from the environment, if set to a real value.
|
|
2. A random secret persisted to the config volume, generated once on
|
|
first boot and reused on every restart after that.
|
|
|
|
This means a user who never sets SESSION_SECRET still gets a strong,
|
|
stable secret instead of the app silently falling back to a constant
|
|
that would make every session cookie forgeable.
|
|
"""
|
|
env_value = settings.session_secret.strip()
|
|
if env_value and env_value != _KNOWN_PLACEHOLDER:
|
|
return env_value
|
|
|
|
secret_path = settings.alembic_config_dir / "session.secret"
|
|
if secret_path.exists():
|
|
stored = secret_path.read_text().strip()
|
|
if stored:
|
|
return stored
|
|
|
|
generated = secrets.token_urlsafe(48)
|
|
secret_path.parent.mkdir(parents=True, exist_ok=True)
|
|
secret_path.write_text(generated + "\n")
|
|
secret_path.chmod(0o600)
|
|
return generated
|