Files
alembic/app/security/session.py
T
andrew b135f11557 Security hardening and first-run/portability improvements
Security (P0):
- Remove committed session-secret default; auto-generate and persist a
  random secret to the config volume when SESSION_SECRET is unset
  (prevents forgeable session cookies / auth bypass).
- Validate playlist names to a safe charset and render sldl configs via
  literal Python substitution instead of sed (closes a command-injection
  and path-traversal path through playlist names).
- shlex-quote credential values written to shell-sourced env files, and
  strip newlines from values patched into .conf files.
- Render playlist .conf files 0600; warn at startup if the master key is
  co-located with the config volume; document keeping it separate.

Portability:
- Configurable timezone via TZ (default UTC) instead of hardcoded Edmonton.
- Remove personal defaults (navidrome user "andrew", ephemeral.club URLs).
- Ship generic example seeds; move the cross-album dedup keep-list and the
  legacy playlist import to editable config files; drop the personal
  _upgrade.csv.
- Generic VPN reference in docker-compose.snippet.yml.

First-run experience:
- Redirect to /setup instead of 500 when OIDC is unconfigured; surface a
  missing master key inline; entrypoint exits with an actionable message
  when the config folder is not writable.
- Add unauthenticated /health (JSON) and /setup (checklist) diagnostics.

Docs:
- Write docs/ARCHITECTURE.md and docs/MIGRATION.md (previously referenced
  but missing); expand README with ownership, backups, advanced settings,
  and migration guidance.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-09 14:25:55 -06:00

38 lines
1.3 KiB
Python

import secrets
from app.settings import settings
# A leftover from an earlier build that shipped this as the default. Still
# rejected explicitly so anyone who copied it into their env doesn't end up
# with a publicly-known signing key.
_KNOWN_PLACEHOLDER = "changeme-dev-only-override-in-production"
def resolve_session_secret() -> str:
"""Return the secret used to sign session cookies.
Preference order:
1. SESSION_SECRET from the environment, if set to a real value.
2. A random secret persisted to the config volume, generated once on
first boot and reused on every restart after that.
This means a user who never sets SESSION_SECRET still gets a strong,
stable secret instead of the app silently falling back to a constant
that would make every session cookie forgeable.
"""
env_value = settings.session_secret.strip()
if env_value and env_value != _KNOWN_PLACEHOLDER:
return env_value
secret_path = settings.alembic_config_dir / "session.secret"
if secret_path.exists():
stored = secret_path.read_text().strip()
if stored:
return stored
generated = secrets.token_urlsafe(48)
secret_path.parent.mkdir(parents=True, exist_ok=True)
secret_path.write_text(generated + "\n")
secret_path.chmod(0o600)
return generated