The startup error now tells operators exactly where to find the old key value (./data/.jwt_secret) rather than just saying "your old JWT_SECRET". docker-compose.yml and README updated to mark ENCRYPTION_KEY as required and remove the stale "auto-generated" comments.
58 lines
2.5 KiB
TypeScript
58 lines
2.5 KiB
TypeScript
import crypto from 'crypto';
|
|
import fs from 'fs';
|
|
import path from 'path';
|
|
|
|
const dataDir = path.resolve(__dirname, '../data');
|
|
|
|
// JWT_SECRET is always managed by the server — auto-generated on first start and
|
|
// persisted to data/.jwt_secret. Use the admin panel to rotate it; do not set it
|
|
// via environment variable (env var would override a rotation on next restart).
|
|
const jwtSecretFile = path.join(dataDir, '.jwt_secret');
|
|
let _jwtSecret: string;
|
|
|
|
try {
|
|
_jwtSecret = fs.readFileSync(jwtSecretFile, 'utf8').trim();
|
|
} catch {
|
|
_jwtSecret = crypto.randomBytes(32).toString('hex');
|
|
try {
|
|
if (!fs.existsSync(dataDir)) fs.mkdirSync(dataDir, { recursive: true });
|
|
fs.writeFileSync(jwtSecretFile, _jwtSecret, { mode: 0o600 });
|
|
console.log('Generated and saved JWT secret to', jwtSecretFile);
|
|
} catch (writeErr: unknown) {
|
|
console.warn('WARNING: Could not persist JWT secret to disk:', writeErr instanceof Error ? writeErr.message : writeErr);
|
|
console.warn('Sessions will reset on server restart.');
|
|
}
|
|
}
|
|
|
|
// export let so TypeScript's CJS output keeps exports.JWT_SECRET live
|
|
// (generates `exports.JWT_SECRET = JWT_SECRET = newVal` inside updateJwtSecret)
|
|
export let JWT_SECRET = _jwtSecret;
|
|
|
|
// Called by the admin rotate-jwt-secret endpoint to update the in-process
|
|
// binding that all middleware and route files reference.
|
|
export function updateJwtSecret(newSecret: string): void {
|
|
JWT_SECRET = newSecret;
|
|
}
|
|
|
|
// ENCRYPTION_KEY is used to derive at-rest encryption keys for stored secrets
|
|
// (API keys, MFA TOTP secrets, SMTP password, OIDC client secret, etc.).
|
|
// Keeping it separate from JWT_SECRET means you can rotate session tokens without
|
|
// invalidating all stored encrypted data, and vice-versa.
|
|
//
|
|
// Upgrade note: if you already have encrypted data stored under a previous build
|
|
// that used JWT_SECRET for encryption, set ENCRYPTION_KEY to the value of your
|
|
// old JWT_SECRET so existing encrypted values continue to decrypt correctly.
|
|
// After re-saving all credentials via the admin panel you can switch to a new
|
|
// random ENCRYPTION_KEY.
|
|
const ENCRYPTION_KEY: string = process.env.ENCRYPTION_KEY || '';
|
|
|
|
if (!ENCRYPTION_KEY) {
|
|
console.error('FATAL: ENCRYPTION_KEY is not set.');
|
|
console.error('If this occurs after an update, set ENCRYPTION_KEY to the value of your old JWT secret.');
|
|
console.error('Your JWT secret is stored in data/.jwt_secret (host path: ./data/.jwt_secret).');
|
|
console.error('For a fresh install, generate a random key: openssl rand -hex 32');
|
|
process.exit(1);
|
|
}
|
|
|
|
export { ENCRYPTION_KEY };
|