config: deal with "secret" security hazard

jesec · jesec · commit d137107ac908 · 2020-08-22T23:43:04.000+08:00
If you provide a default, people WILL use it. It is a security hazard if people use the default private psk to sign auth messages. Flood usuaully has privileges to files. A potential intruder may download files inside Flood and that will lead to arbitrary remote code execution, not to mention rTorrent's rich and powerful script interface. This change makes sure there is NO default and build shall NOT pass before user provides a secret. Bug: Flood-UI/flood#589
diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run build
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/.github/workflows/check-compiled-i18n.yml b/.github/workflows/check-compiled-i18n.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run check-compiled-i18n
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/.github/workflows/check-source-formatting.yml b/.github/workflows/check-source-formatting.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run check-source-formatting
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/.github/workflows/check-types.yml b/.github/workflows/check-types.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run check-types
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
@@ -25,3 +25,5 @@ jobs:
     - run: cp config.template.js config.js
     - run: npm install
     - run: npm run lint
+      env:
+        FLOOD_SECRET: ${{ secrets.FLOOD_SECRET }}
diff --git a/config.docker.js b/config.docker.js
@@ -5,7 +5,8 @@ const CONFIG = {
   floodServerPort: 3000,
   maxHistoryStates: 30,
   pollInterval: 1000 * 5,
-  secret: process.env.FLOOD_SECRET || 'flood',
+  // eslint-disable-next-line no-undef
+  secret: process.env.FLOOD_SECRET || CHANGE_ME,
   scgi: {
     host: process.env.RTORRENT_SCGI_HOST || 'localhost',
     port: process.env.RTORRENT_SCGI_PORT || 5000,
diff --git a/config.template.js b/config.template.js
@@ -51,9 +51,11 @@ const CONFIG = {
   maxHistoryStates: 30,
   // How often (in milliseconds) Flood will request the torrent list from.
   torrentClientPollInterval: 1000 * 2,
-  // A unique secret for signing messages with JWT (see https://jwt.io). Change
-  // this to something unique and hard to guess.
-  secret: 'flood',
+  // A unique secret for signing messages with JWT (see https://jwt.io).
+  // Change this to something unique and hard to guess.
+  // You can use 'uuidgen' or 'cat /proc/sys/kernel/random/uuid' or 'uuidgenerator.net'.
+  // eslint-disable-next-line no-undef
+  secret: process.env.FLOOD_SECRET || CHANGE_ME,
   // Configuration for SSL, if using SSL with the Flood service directly.
   ssl: false,
   sslKey: '/absolute/path/to/key/',
