security: remove hardcoded JWT secret and centralize random secret generation

Author: unocelli

docs/Settings.md

@@ -5,8 +5,8 @@ To enable and config the authentication:
 
 ```
 secureEnabled: true,            // enable or diasable
-secretCode: 'frangoteam751',    // secret code to encode the token
+secretCode: '<strong-random-secret>', // secret code to encode the token
 tokenExpiresIn: '1h'            // token expiration delay '1h'=1hour, 60=60seconds, '1d'=1day
 ```
 
-The default user ‘admin’ have the ‘123456’ as password, of course you can change it.
+The default user ‘admin’ have the ‘123456’ as password, of course you can change it.

server/api/index.js

@@ -146,6 +146,10 @@ function init(_server, _runtime) {
                         if (!req.body.secretCode && runtime.settings.secretCode) {
                             req.body.secretCode = runtime.settings.secretCode;
                         }
+                        if (req.body.secureEnabled && !req.body.secretCode) {
+                            req.body.secretCode = utils.generateSecretCode();
+                            runtime.logger.warn('Generated random JWT secret because secureEnabled=true and no secretCode was provided.');
+                        }
                         const prevAuth = {
                             secureEnabled: runtime.settings.secureEnabled,
                             tokenExpiresIn: runtime.settings.tokenExpiresIn,

server/api/jwt-helper.js

@@ -1,9 +1,11 @@
 'use strict';
 
 const jwt = require('jsonwebtoken');
+const utils = require('../runtime/utils');
 
 var secureEnabled = false;
-var secretCode = 'frangoteam751';
+// Runtime fallback secret used only when no persistent secret is configured.
+var secretCode = utils.generateSecretCode();
 var tokenExpiresIn = 60 * 60;   // 60 minutes
 const adminGroups = [-1, 255];
 

server/main.js

@@ -194,6 +194,12 @@ try {
     logger.error('Error loading user settings file: ' + userSettingsFile)
 }
 
+// Ensure secure mode never runs with an empty/static-known JWT secret.
+if (settings.secureEnabled && !settings.secretCode) {
+    settings.secretCode = utils.generateSecretCode();
+    logger.warn('Generated a random JWT secret in memory because secureEnabled=true and secretCode was missing. Persist it in settings for stable sessions across restarts.');
+}
+
 // Check logger
 if (!settings.logDir) {
     settings.logDir = path.resolve(rootDir, '_logs');

server/runtime/utils.js

@@ -1,5 +1,6 @@
 const os = require('os');
 const ip = require('ip');
+const crypto = require('crypto');
 
 'use strict';
 var utils = module.exports = {
@@ -361,5 +362,9 @@ var utils = module.exports = {
             }
         }
         return target;
+    },
+
+    generateSecretCode: function(byteLength = 32) {
+        return crypto.randomBytes(byteLength).toString('hex');
     }
 }

server/settings.default.js

@@ -92,7 +92,7 @@ module.exports = {
 
     // Used to enable security, authentication and authorization and crypt Token
     //secureEnabled: true,
-    //secretCode: 'frangoteam751',
+    //secretCode: '<set-a-strong-random-secret>',
     //tokenExpiresIn: '1h',  // '1h'=1hour, 60=60seconds, '1d'=1day
     //enableRefreshCookieAuth: false, // if true, use refresh token HttpOnly cookie flow
     //refreshTokenExpiresIn: '7d' // '7d'=7days, 12h=12hours, 3600=3600seconds