ci: generate auth secret in production (#1681)

* ci: generate auth secret in production

* refactor: remove no longer needed auth-secret from e2e test

* fix: remove static auth secret

Dockerfile

@@ -67,7 +67,7 @@ COPY --from=builder --chown=nextjs:nodejs /app/apps/nextjs/.next/standalone ./
 COPY --from=builder --chown=nextjs:nodejs /app/apps/nextjs/.next/static ./apps/nextjs/.next/static
 COPY --from=builder --chown=nextjs:nodejs /app/apps/nextjs/public ./apps/nextjs/public
 COPY --chown=nextjs:nodejs scripts/run.sh ./run.sh
-COPY --chown=nextjs:nodejs scripts/generateEncryptionKey.js ./generateEncryptionKey.js
+COPY --chown=nextjs:nodejs scripts/generateRandomSecureKey.js ./generateRandomSecureKey.js
 COPY --chown=nextjs:nodejs packages/redis/redis.conf /app/redis.conf
 COPY --chown=nextjs:nodejs nginx.conf /etc/nginx/templates/nginx.conf
 

development/docker-run.cmd

@@ -1 +1 @@
-docker run -p 7575:7575 -e AUTH_SECRET='secrets' homarr:latest
+docker run -p 7575:7575 homarr:latest

e2e/shared/create-homarr-container.ts

@@ -6,9 +6,6 @@ export const createHomarrContainer = () => {
   }
 
   return new GenericContainer("homarr-e2e")
-    .withEnvironment({
-      AUTH_SECRET: "secret",
-    })
     .withExposedPorts(7575)
     .withWaitStrategy(Wait.forHttp("/api/health/ready", 7575));
 };

packages/auth/configuration.ts

@@ -89,7 +89,6 @@ export const createConfiguration = (
       signIn: createSignInEventHandler(db),
     },
     redirectProxyUrl: createRedirectUri(headers, "/api/auth"),
-    secret: "secret-is-not-defined-yet", // TODO: This should be added later
     session: {
       strategy: "database",
       maxAge: env.AUTH_SESSION_EXPIRY_TIME,

scripts/generateRandomSecureKey.js

@@ -1,6 +1,6 @@
-// This script generates a random encryption key
-// This key is used to encrypt and decrypt the integration secrets
-// In production it is generated in run.sh and stored in the environment variable ENCRYPTION_KEY
+// This script generates a random secure key with a length of 64 characters
+// This key is used to encrypt and decrypt the integration secrets for auth.js
+// In production it is generated in run.sh and stored in the environment variables ENCRYPTION_KEY / AUTH_SECRET
 // during runtime, it's also stored in a file.
 
 const crypto = require("crypto");

scripts/run.sh

@@ -18,11 +18,24 @@ if [ -r /secrets/encryptionKey ]; then
     encryptionKey=$(cat /secrets/encryptionKey)
 else
     echo "Generating encryption key"
-    encryptionKey=$(node ./generateEncryptionKey.js)
+    encryptionKey=$(node ./generateRandomSecureKey.js)
     echo $encryptionKey > /secrets/encryptionKey
 fi
 export ENCRYPTION_KEY=$encryptionKey
 
+# Generates an auth secret if it doesn't exist and saves it to /secrets/authSecret
+# Also sets the AUTH_SECRET environment variable required for auth.js
+authSecret=""
+if [ -r /secrets/authSecret ]; then
+    echo "Auth secret already exists"
+    authSecret=$(cat /secrets/authSecret)
+else
+    echo "Generating auth secret"
+    authSecret=$(node ./generateRandomSecureKey.js)
+    echo $authSecret > /secrets/authSecret
+fi
+export AUTH_SECRET=$authSecret
+
 # Start nginx proxy
 # 1. Replace the HOSTNAME in the nginx template file
 # 2. Create the nginx configuration file from the template