From 15d47d0585be3706367688265619cef65ccc9375 Mon Sep 17 00:00:00 2001
From: Meier Lukas <meierschlumpf@gmail.com>
Date: Tue, 17 Dec 2024 19:10:19 +0100
Subject: [PATCH] ci: generate auth secret in production (#1681)

* ci: generate auth secret in production

* refactor: remove no longer needed auth-secret from e2e test

* fix: remove static auth secret
---
 Dockerfile                                        |  2 +-
 development/docker-run.cmd                        |  2 +-
 e2e/shared/create-homarr-container.ts             |  3 ---
 packages/auth/configuration.ts                    |  1 -
 ...ncryptionKey.js => generateRandomSecureKey.js} |  6 +++---
 scripts/run.sh                                    | 15 ++++++++++++++-
 6 files changed, 19 insertions(+), 10 deletions(-)
 rename scripts/{generateEncryptionKey.js => generateRandomSecureKey.js} (65%)

diff --git a/Dockerfile b/Dockerfile
index 443a7ce08..6b0ea4e63 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -67,7 +67,7 @@ COPY --from=builder --chown=nextjs:nodejs /app/apps/nextjs/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/apps/nextjs/.next/static ./apps/nextjs/.next/static
 COPY --from=builder --chown=nextjs:nodejs /app/apps/nextjs/public ./apps/nextjs/public
 COPY --chown=nextjs:nodejs scripts/run.sh ./run.sh
-COPY --chown=nextjs:nodejs scripts/generateEncryptionKey.js ./generateEncryptionKey.js
+COPY --chown=nextjs:nodejs scripts/generateRandomSecureKey.js ./generateRandomSecureKey.js
 COPY --chown=nextjs:nodejs packages/redis/redis.conf /app/redis.conf
 COPY --chown=nextjs:nodejs nginx.conf /etc/nginx/templates/nginx.conf
 
diff --git a/development/docker-run.cmd b/development/docker-run.cmd
index 080de6c41..1f608898f 100644
--- a/development/docker-run.cmd
+++ b/development/docker-run.cmd
@@ -1 +1 @@
-docker run -p 7575:7575 -e AUTH_SECRET='secrets' homarr:latest
\ No newline at end of file
+docker run -p 7575:7575 homarr:latest
\ No newline at end of file
diff --git a/e2e/shared/create-homarr-container.ts b/e2e/shared/create-homarr-container.ts
index 84cbcc711..e6f2281ae 100644
--- a/e2e/shared/create-homarr-container.ts
+++ b/e2e/shared/create-homarr-container.ts
@@ -6,9 +6,6 @@ export const createHomarrContainer = () => {
   }
 
   return new GenericContainer("homarr-e2e")
-    .withEnvironment({
-      AUTH_SECRET: "secret",
-    })
     .withExposedPorts(7575)
     .withWaitStrategy(Wait.forHttp("/api/health/ready", 7575));
 };
diff --git a/packages/auth/configuration.ts b/packages/auth/configuration.ts
index 4c00a0b20..f13765536 100644
--- a/packages/auth/configuration.ts
+++ b/packages/auth/configuration.ts
@@ -89,7 +89,6 @@ export const createConfiguration = (
       signIn: createSignInEventHandler(db),
     },
     redirectProxyUrl: createRedirectUri(headers, "/api/auth"),
-    secret: "secret-is-not-defined-yet", // TODO: This should be added later
     session: {
       strategy: "database",
       maxAge: env.AUTH_SESSION_EXPIRY_TIME,
diff --git a/scripts/generateEncryptionKey.js b/scripts/generateRandomSecureKey.js
similarity index 65%
rename from scripts/generateEncryptionKey.js
rename to scripts/generateRandomSecureKey.js
index 1fc7fdbfe..4813ae6a5 100644
--- a/scripts/generateEncryptionKey.js
+++ b/scripts/generateRandomSecureKey.js
@@ -1,6 +1,6 @@
-// This script generates a random encryption key
-// This key is used to encrypt and decrypt the integration secrets
-// In production it is generated in run.sh and stored in the environment variable ENCRYPTION_KEY
+// This script generates a random secure key with a length of 64 characters
+// This key is used to encrypt and decrypt the integration secrets for auth.js
+// In production it is generated in run.sh and stored in the environment variables ENCRYPTION_KEY / AUTH_SECRET
 // during runtime, it's also stored in a file.
 
 const crypto = require("crypto");
diff --git a/scripts/run.sh b/scripts/run.sh
index bc4d9c9b1..d22536ff2 100644
--- a/scripts/run.sh
+++ b/scripts/run.sh
@@ -18,11 +18,24 @@ if [ -r /secrets/encryptionKey ]; then
     encryptionKey=$(cat /secrets/encryptionKey)
 else
     echo "Generating encryption key"
-    encryptionKey=$(node ./generateEncryptionKey.js)
+    encryptionKey=$(node ./generateRandomSecureKey.js)
     echo $encryptionKey > /secrets/encryptionKey
 fi
 export ENCRYPTION_KEY=$encryptionKey
 
+# Generates an auth secret if it doesn't exist and saves it to /secrets/authSecret
+# Also sets the AUTH_SECRET environment variable required for auth.js
+authSecret=""
+if [ -r /secrets/authSecret ]; then
+    echo "Auth secret already exists"
+    authSecret=$(cat /secrets/authSecret)
+else
+    echo "Generating auth secret"
+    authSecret=$(node ./generateRandomSecureKey.js)
+    echo $authSecret > /secrets/authSecret
+fi
+export AUTH_SECRET=$authSecret
+
 # Start nginx proxy
 # 1. Replace the HOSTNAME in the nginx template file
 # 2. Create the nginx configuration file from the template