feat(api): load API key from systemd credentials with fallback

blackxored · blackxored · commit 2a44e55aead6 · 2025-11-13T15:33:36.000-08:00
If provided, API key is read through systemd credential `api-key` passed to the service and preferred, will fallback to environment var if not present. See: https://systemd.io/CREDENTIALS systemd.system-credentials(7)
diff --git a/server/lib/settings/index.ts b/server/lib/settings/index.ts
@@ -745,19 +745,29 @@ class Settings {
   }
 
   public async regenerateApiKey(): Promise<MainSettings> {
-    this.main.apiKey = this.generateApiKey();
+    this.main.apiKey = await this.generateApiKey();
     await this.save();
     return this.main;
   }
 
-  private generateApiKey(): string {
-    if (process.env.API_KEY) {
+  private async apiKeyFromEnvOrCred(): Promise<string | undefined> {
+    const apiKeyCredential = `${process.env.CREDENTIALS_DIRECTORY}/api-key`;
+
+    try {
+      return fs.readFile(apiKeyCredential, 'utf-8');
+    } catch {
       return process.env.API_KEY;
-    } else {
-      return Buffer.from(`${Date.now()}${randomUUID()}`).toString('base64');
     }
   }
 
+  private async generateApiKey(): Promise<string> {
+    const apiKey = await this.apiKeyFromEnvOrCred();
+
+    return (
+      apiKey || Buffer.from(`${Date.now()}${randomUUID()}`).toString('base64')
+    );
+  }
+
   /**
    * Settings Load
    *
@@ -794,11 +804,12 @@ class Settings {
     // generate keys and ids if it's missing
     let change = false;
     if (!this.data.main.apiKey) {
-      this.data.main.apiKey = this.generateApiKey();
+      this.data.main.apiKey = await this.generateApiKey();
       change = true;
-    } else if (process.env.API_KEY) {
-      if (this.main.apiKey != process.env.API_KEY) {
-        this.main.apiKey = process.env.API_KEY;
+    } else {
+      const apiKey = await this.apiKeyFromEnvOrCred();
+      if (apiKey && this.main.apiKey != apiKey) {
+        this.main.apiKey = apiKey;
       }
     }
     if (!this.data.clientId) {
