feat: Add session secret env var check (#4709)

inovex · Dec 19, 2024 · cc04e1d · cc04e1d
1 parent a7884e7
commit cc04e1d
Show file tree

Hide file tree

Showing 6 changed files with 40 additions and 6 deletions.
diff --git a/deployment/docker/.env.example b/deployment/docker/.env.example
@@ -20,6 +20,8 @@ MICROSOFT_CLIENT_SECRET=
 OIDC_CLIENT_ID=
 OIDC_CLIENT_SECRET=
 OIDC_DISCOVERY_URL=http://oidc.localhost:5556/dex/.well-known/openid-configuration
+# Session Secret
+SESSION_SECRET=
 # Your Postgres Password
 POSTGRES_PASSWORD=
 # Redis if you use it instead of NATS

diff --git a/deployment/docker/docker-compose.yml b/deployment/docker/docker-compose.yml
@@ -30,6 +30,7 @@ services:
       SCRUMLR_AUTH_OIDC_CLIENT_ID: "${OIDC_CLIENT_ID}"
       SCRUMLR_AUTH_OIDC_CLIENT_SECRET: "${OIDC_CLIENT_SECRET}"
       SCRUMLR_AUTH_OIDC_DISCOVERY_URL: "${OIDC_DISCOVERY_URL}"
+      SESSION_SECRET: "${SESSION_SECRET}"
       # SCRUMLR_CONFIG_PATH: "${SCRUMRL_CONFIG_PATH}"
       # Redis variables (if you decide to use Redis instead of NATS)
       SCRUMLR_SERVER_REDIS_HOST: "${REDIS_HOST}"

diff --git a/docs/src/content/docs/self-hosting/docker.md b/docs/src/content/docs/self-hosting/docker.md
@@ -26,7 +26,7 @@ For a new deployment the mandatory variables to fill out are `POSTGRES_PASSWORD`
 
 ### Postgres Password
 
-Make sure to set the `POSTGRES_PASSWORD`variable in your `.env` file to a secure password. For example you can generate a 64 characters long one from the terminal with the following command (if you have `pwgen` installed):
+Make sure to set the `POSTGRES_PASSWORD` variable in your `.env` file to a secure password. For example you can generate a 64 characters long one from the terminal with the following command (if you have `pwgen` installed):
 
 ```sh
 pwgen -s 64 1
@@ -48,6 +48,15 @@ Copy the result of this command and paste it into your `.env` file (with `\n` li
 SCRUMLR_PRIVATE_KEY="-----BEGIN EC PRIVATE KEY-----\n...\n-----END EC PRIVATE KEY-----\n"
 ```
 
+### Session Secret
+
+Make sure to set the `SESSION_SECRET` variable in your `.env` file if you are using an authentication provider.
+You can generate a session secret with
+
+```sh
+pwgen -s 64 1
+```
+
 ## Deployment
 You can now start the deployment using the following command.
 ```sh

diff --git a/docs/src/content/docs/self-hosting/env-vars.md b/docs/src/content/docs/self-hosting/env-vars.md
@@ -159,14 +159,21 @@ SCRUMLR_AUTH_APPLE_CLIENT_SECRET=''
 Required OIDC credentials.
 Only configure if you wish to use generic OpenID Connect Authentication.
 ```bash
-SCRUMLR_AUTH_OIDC_CLIENT_ID
-SCRUMLR_AUTH_OIDC_CLIENT_SECRET
-SCRUMLR_AUTH_OIDC_DISCOVERY_URL
-SCRUMLR_AUTH_OIDC_USER_IDENT_SCOPE
-SCRUMLR_AUTH_OIDC_USER_NAME_SCOPE
+SCRUMLR_AUTH_OIDC_CLIENT_ID=''
+SCRUMLR_AUTH_OIDC_CLIENT_SECRET=''
+SCRUMLR_AUTH_OIDC_DISCOVERY_URL=''
+SCRUMLR_AUTH_OIDC_USER_IDENT_SCOPE=''
+SCRUMLR_AUTH_OIDC_USER_NAME_SCOPE=''
 ```
 Note: Might require larger session store to be active, see [SCRUMLR_ENABLE_EXPERIMENTAL_AUTH_FILE_SYSTEM_STORE](#enable-experimental-file-system-store)
 
+### Session Secret
+The secret for the session. This secret is used by gothic.
+This needs to be configured if you are using an authentication provider.
+```bash
+SESSION_SECRET=''
+```
+
 ### Feedback Webhook URL
 A webhook URL to which feedback should be sent.
 This is not required.

diff --git a/k8s/deployment.yaml b/k8s/deployment.yaml
@@ -80,6 +80,11 @@ spec:
                 secretKeyRef:
                   name: scrumlr-secrets
                   key: WEBHOOK_URL
+            - name: SESSION_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: scrumlr-secrets
+                  key: SESSION_SECRET
             - name: SCRUMLR_BASE_PATH
               value: "/api"
           ports:

diff --git a/server/src/main.go b/server/src/main.go
@@ -219,6 +219,12 @@ func main() {
 				Usage:   "JWT claim to request for the user name",
 				Value:   "profile",
 			}),
+			altsrc.NewStringFlag(&cli.StringFlag{
+				Name:     "session-secret",
+				EnvVars:  []string{"SESSION_SECRET"},
+				Usage:    "Session secret for the authentication provider. Must be provided if an authentication provider is used.",
+				Required: false,
+			}),
 			altsrc.NewBoolFlag(&cli.BoolFlag{
 				Name:    "verbose",
 				Aliases: []string{"v"},
@@ -350,6 +356,10 @@ func run(c *cli.Context) error {
 		}
 	}
 
+	if c.String("session-secret") == "" && len(providersMap) != 0 {
+		return errors.New("you may not start the application without a session secret if an authentication provider is configured")
+	}
+
 	dbConnection := database.New(db, c.Bool("verbose"))
 
 	keyWithNewlines := strings.ReplaceAll(c.String("key"), "\\n", "\n")