externalize login server secrets, now configurable

2026-03-01 12:44:43 +00:00 · 2021-11-04 02:18:19 +01:00 · 2021-11-04 02:18:19 +01:00 · 2bd63985b2
commit 2bd63985b2
parent ab64185275
3 changed files with 14 additions and 7 deletions
--- a/backend/.env.dist
+++ b/backend/.env.dist
@ -18,4 +18,6 @@ DB_DATABASE=gradido_community
 COMMUNITY_NAME=
 COMMUNITY_URL=
 COMMUNITY_REGISTER_URL=
-COMMUNITY_DESCRIPTION=
+COMMUNITY_DESCRIPTION=
+LOGIN_APP_SECRET=21ffbbc616fe
+LOGIN_SERVER_KEY=a51ef8ac7ef1abf162fb7a65261acd7a
--- a/backend/src/config/index.ts
+++ b/backend/src/config/index.ts
@ -39,9 +39,14 @@ const community = {
    process.env.COMMUNITY_DESCRIPTION || 'Die lokale Entwicklungsumgebung von Gradido.',
 }

+const loginServer = {
+  LOGIN_APP_SECRET: process.env.LOGIN_APP_SECRET || '21ffbbc616fe',
+  LOGIN_SERVER_KEY: process.env.LOGIN_SERVER_KEY || 'a51ef8ac7ef1abf162fb7a65261acd7a',
+}
+
 // This is needed by graphql-directive-auth
 process.env.APP_SECRET = server.JWT_SECRET

-const CONFIG = { ...server, ...database, ...klicktipp, ...community }
+const CONFIG = { ...server, ...database, ...klicktipp, ...community, ...loginServer }

 export default CONFIG
--- a/backend/src/graphql/resolver/UserResolver.ts
+++ b/backend/src/graphql/resolver/UserResolver.ts
@ -142,9 +142,9 @@ const KeyPairEd25519Create = (passphrase: string[]): Buffer[] => {

 const SecretKeyCryptographyCreateKey = (salt: string, password: string): Buffer[] => {
  // TODO: put that in the actual config
-  const configCryptoAppSecret = Buffer.from('21ffbbc616fe', 'hex')
-  const configCryptoServerKey = Buffer.from('a51ef8ac7ef1abf162fb7a65261acd7a', 'hex')
-  if (configCryptoServerKey.length !== sodium.crypto_shorthash_KEYBYTES) {
+  const configLoginAppSecret = Buffer.from(CONFIG.LOGIN_APP_SECRET, 'hex')
+  const configLoginServerKey = Buffer.from(CONFIG.LOGIN_SERVER_KEY, 'hex')
+  if (configLoginServerKey.length !== sodium.crypto_shorthash_KEYBYTES) {
    throw new Error(
      `ServerKey has an invalid size. The size must be ${sodium.crypto_shorthash_KEYBYTES} bytes.`,
    )
@ -153,7 +153,7 @@ const SecretKeyCryptographyCreateKey = (salt: string, password: string): Buffer[
  const state = Buffer.alloc(sodium.crypto_hash_sha512_STATEBYTES)
  sodium.crypto_hash_sha512_init(state)
  sodium.crypto_hash_sha512_update(state, Buffer.from(salt))
-  sodium.crypto_hash_sha512_update(state, Buffer.from(configCryptoAppSecret))
+  sodium.crypto_hash_sha512_update(state, configLoginAppSecret)
  const hash = Buffer.alloc(sodium.crypto_hash_sha512_BYTES)
  sodium.crypto_hash_sha512_final(state, hash)

@ -171,7 +171,7 @@ const SecretKeyCryptographyCreateKey = (salt: string, password: string): Buffer[
  )

  const encryptionKeyHash = Buffer.alloc(sodium.crypto_shorthash_BYTES)
-  sodium.crypto_shorthash(encryptionKeyHash, encryptionKey, configCryptoServerKey)
+  sodium.crypto_shorthash(encryptionKeyHash, encryptionKey, configLoginServerKey)

  return [encryptionKeyHash, encryptionKey]
 }