feat(security): enhance JWT secret auto-generation warning
Add prominent warning messages when JWT secret is auto-generated: - Use multi-line banner format for better visibility - Include actionable guidance for production deployments - Update both setup.go and security_secret_bootstrap.go This helps operators notice the security concern and take appropriate action before deploying to production.
This commit is contained in:
User
@@ -14,6 +14,7 @@ import (
|
||||
"github.com/Wei-Shaw/sub2api/ent"
|
||||
"github.com/Wei-Shaw/sub2api/ent/securitysecret"
|
||||
"github.com/Wei-Shaw/sub2api/internal/config"
|
||||
"github.com/Wei-Shaw/sub2api/internal/pkg/logger"
|
||||
)
|
||||
|
||||
const (
|
||||
@@ -52,7 +53,16 @@ func ensureBootstrapSecrets(ctx context.Context, client *ent.Client, cfg *config
|
||||
cfg.JWT.Secret = secret
|
||||
|
||||
if created {
|
||||
log.Println("Warning: JWT secret auto-generated and persisted to database. Consider rotating to a managed secret for production.")
|
||||
// 使用更醒目的告警格式,便于运维识别
|
||||
log.Println("================================================================================")
|
||||
log.Println("⚠️ SECURITY WARNING: JWT secret auto-generated and persisted to database")
|
||||
log.Println(" This secret will be used for all JWT token signing.")
|
||||
log.Println(" For production deployments, consider:")
|
||||
log.Println(" 1. Set JWT_SECRET environment variable before first startup")
|
||||
log.Println(" 2. Or set jwt.secret in config.yaml")
|
||||
log.Println(" Auto-generated secrets persist across restarts but should be rotated.")
|
||||
log.Println("================================================================================")
|
||||
logger.LegacyPrintf("security", "JWT secret auto-generated and persisted. Consider rotating to a managed secret for production.")
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
@@ -297,7 +297,11 @@ func Install(cfg *SetupConfig) error {
|
||||
return fmt.Errorf("failed to generate jwt secret: %w", err)
|
||||
}
|
||||
cfg.JWT.Secret = secret
|
||||
logger.LegacyPrintf("setup", "%s", "Warning: JWT secret auto-generated. Consider setting a fixed secret for production.")
|
||||
// 使用更醒目的告警格式
|
||||
logger.LegacyPrintf("setup", "================================================================================")
|
||||
logger.LegacyPrintf("setup", "⚠️ SECURITY WARNING: JWT secret auto-generated")
|
||||
logger.LegacyPrintf("setup", " For production, set JWT_SECRET environment variable or jwt.secret in config.yaml")
|
||||
logger.LegacyPrintf("setup", "================================================================================")
|
||||
}
|
||||
|
||||
// Test connections
|
||||
@@ -594,7 +598,11 @@ func AutoSetupFromEnv() error {
|
||||
return fmt.Errorf("failed to generate jwt secret: %w", err)
|
||||
}
|
||||
cfg.JWT.Secret = secret
|
||||
logger.LegacyPrintf("setup", "%s", "Warning: JWT secret auto-generated. Consider setting a fixed secret for production.")
|
||||
// 使用更醒目的告警格式
|
||||
logger.LegacyPrintf("setup", "================================================================================")
|
||||
logger.LegacyPrintf("setup", "⚠️ SECURITY WARNING: JWT secret auto-generated")
|
||||
logger.LegacyPrintf("setup", " For production, set JWT_SECRET environment variable or jwt.secret in config.yaml")
|
||||
logger.LegacyPrintf("setup", "================================================================================")
|
||||
}
|
||||
|
||||
// Test database connection
|
||||
|
||||
Reference in New Issue
Block a user