New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Gogs service password handling improvements #25116
Conversation
I was getting a secret key like this: [security] SECRET_KEY = 7X Use coreutils base64 instead to get the full 256 bits of randomness.
@rvl, thanks for your PR! By analyzing the history of the files in this pull request, we identified @schneefux and @jgertm to be potential reviewers. |
Directory which contains the config file /var/lib/gogs already has mode 700 but users are liable to change these things.
nixos/modules/services/misc/gogs.nix
Outdated
KEY=$(head -c 16 /dev/urandom | tr -dc A-Za-z0-9) | ||
sed -i "s,#secretkey#,$KEY,g" ${cfg.stateDir}/custom/conf/app.ini | ||
cp -f ${configFile} ${runConfig} | ||
KEY=$(head -c 16 /dev/urandom | base64) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it good practice to regenerate this secret key on every start? I could imagine that this will invalidate all session cookies?
cc @unknwon
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is an oversight by me, the key should only be written once.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was thinking the same thing, so I tried restarting gogs but didn't lose my login session. Let us knwo @unknwon
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I have pushed a fix to generate the key first time, but am now slightly concerned that the SECRET_KEY
setting isn't being used.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, the SECRET_KEY
setting isn't used for session cookies. There seem to be two session cookies and two different ways of generating them. One encrypts with the user's password, the other I'm not sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Mic92: I think we are OK from the NixOS module side. I have changed it so that SECRET_KEY
is only generated on the first start. After checking the Gogs code I have found that SECRET_KEY
is used for 2-factor auth and CSRF token generation. Session cookies are generated from user password + random.
Motivation for this change
Part of #24288.
Tested on nixos-unstable branch, https://git.rodney.id.au/rodney/nixpkgs
/cc @schneefux @basvandijk
Things done
(nix.useSandbox on NixOS,
or option
build-use-sandbox
innix.conf
on non-NixOS)
nix-shell -p nox --run "nox-review wip"
./result/bin/
)