fix: harden Docker auth signing secrets#425
Open
DivyamTalwar wants to merge 1 commit into
Open
Conversation
Authenticated Docker deployments could start with missing or placeholder signing material, including a development session secret. This fails fast for weak auth secrets, generates session secrets in hosted installers, and keeps Docker secret delivery compatible with both optional .env files and shell-injected CI environments. Constraint: Preserve bypass-mode local development defaults, keep blank LOCAL_URI_PASSWORD as the disabled /local/generate_uri state, and avoid making .env mandatory for CI/secret-manager deployments. Rejected: Raw Compose env_file parsing | it raises the Compose requirement and conflicts with preserving shell-injected secret workflows. Rejected: Compose required-variable syntax | it would break bypass-mode local development before app-level config can apply defaults. Confidence: high Scope-risk: moderate Directive: Keep LOCAL_URI_PASSWORD optional at startup; validate it only when configured with a nonblank value. Tested: .venv/bin/python -m pytest core/tests/unit/test_config_auth_secrets.py core/tests/unit/test_installer_auth_env.py -q (58 passed, 1 skipped); bash -n install_docker.sh && bash -n install_and_start.sh; .venv/bin/python -m py_compile core/config.py core/api.py core/local_uri.py core/tests/unit/test_config_auth_secrets.py core/tests/unit/test_installer_auth_env.py; uv run ty check core/tests/unit/test_installer_auth_env.py core/tests/unit/test_config_auth_secrets.py core/local_uri.py; git diff --check Not-tested: PowerShell parser execution skipped locally because pwsh/powershell is unavailable; ruff unavailable in local project environment.
DivyamTalwar
marked this pull request as ready for review
July 3, 2026 20:57
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This hardens authenticated self-hosted Docker setups by requiring non-placeholder signing secrets of at least 32 characters when
bypass_auth_mode = false. The Docker installers now generate aSESSION_SECRET_KEYalongside the existing generated JWT secret, Docker Compose no longer falls back to a placeholder JWT secret, and startup validation rejects missing, blank, placeholder, or too-short JWT/session signing secrets.LOCAL_URI_PASSWORDremains optional at startup because blank or unset values disable/local/generate_uri, but if it is configured, the app and hosted Docker installers now reject placeholder or too-short values before serving requests.The Docker guide and hosted installers now require Docker Compose 2.24.0 or newer so
.envcan be optional while shell/CI secret injection continues to work. The Docker quick start also now creates.envbeforedocker compose up --buildso new users get both required signing secrets before startup.Changes
SESSION_SECRET_KEYin both hosted Docker installers..envfiles to the current user after creation and updates, including stricter Windows ACL cleanup.LOCAL_URI_PASSWORDterminal input in the hosted Docker installers.JWT_SECRET_KEY:-your-secret-key-herefallback and pass through auth secrets explicitly from.envor the shell..envoptional in Compose so CI and secret-manager workflows can still injectJWT_SECRET_KEY,SESSION_SECRET_KEY, andLOCAL_URI_PASSWORDthrough the process environment.env_filesupport is used..envwith separate generated JWT and session secrets before the first Compose run.JWT_SECRET_KEYandSESSION_SECRET_KEYwhen auth bypass is disabled.LOCAL_URI_PASSWORDvalues while keeping a missing/blank local URI password as the disabled state for/local/generate_uri./local/generate_uriwhenLOCAL_URI_PASSWORDis blank or unset..envwiring, shell-secret injection, installer validation failure behavior, endpoint disabled behavior, and Docker docs.Why this matters
Self-hosted Docker deployments with authentication enabled should not silently use shared development signing secrets. Missing or placeholder session signing keys are especially risky because Starlette sessions depend on
SESSION_SECRET_KEY, while the old Compose JWT fallback could hide a missing production secret from runtime validation.Tests
Commands run:
.venv/bin/python -m pytest core/tests/unit/test_config_auth_secrets.py core/tests/unit/test_installer_auth_env.py -q— passed (58 passed, 1 skipped)bash -n install_docker.sh && bash -n install_and_start.sh— passed.venv/bin/python -m py_compile core/config.py core/api.py core/local_uri.py core/tests/unit/test_config_auth_secrets.py core/tests/unit/test_installer_auth_env.py— passeduv run ty check core/tests/unit/test_installer_auth_env.py core/tests/unit/test_config_auth_secrets.py core/local_uri.py— passedgit diff --check— passedNot run successfully:
uv run ruff check core/config.py core/api.py core/tests/unit/test_config_auth_secrets.py core/tests/unit/test_installer_auth_env.py— failed becauseruffis not installed in the local project environment.uv run ruff format --check core/config.py core/api.py core/tests/unit/test_config_auth_secrets.py core/tests/unit/test_installer_auth_env.py— failed becauseruffis not installed in the local project environment.pwshnorpowershellis installed. The test is present and will run where PowerShell is available.Risk
Risk level: medium
This intentionally changes startup behavior for
bypass_auth_mode = false: missing, blank, placeholder, or short JWT/session signing secrets now fail fast instead of falling back to unsafe defaults. Missing/blankLOCAL_URI_PASSWORDremains compatible as the disabled state for/local/generate_uri; only configured placeholder or too-short local URI passwords now fail validation. Rollback is straightforward by reverting this commit, but doing so would restore unsafe fallback behavior.Issue
No existing issue. This was discovered during repository analysis and follow-up security review of the self-hosted Docker path.
Notes for maintainers