From 00c6693b1c1184a994fff241b979d11a63657705 Mon Sep 17 00:00:00 2001 From: Kovah Date: Thu, 24 Mar 2022 00:04:10 +0100 Subject: [PATCH] Reduce .env contents to the bare minimum (#398) - Removes all config values that are not really needed for the most basic setup - Adds a generic standard value for the app key which is checked in the setup middleware and replaced with a secure, random key then --- .env.docker | 67 ++--------------- .env.docker.production | 79 ++------------------ .env.example | 74 +----------------- app/Http/Middleware/SetupCheckMiddleware.php | 22 +++++- config/mail.php | 2 +- config/session.php | 2 +- 6 files changed, 40 insertions(+), 206 deletions(-) diff --git a/.env.docker b/.env.docker index 909cdd8e..5f4dd764 100644 --- a/.env.docker +++ b/.env.docker @@ -1,71 +1,29 @@ ## LINKACE CONFIGURATION ## Basic app configuration -# The application name is used internally and may not be changed -APP_NAME=LinkAce COMPOSE_PROJECT_NAME=linkace -# The URL should be set if you notice issues with URLs generated by Laravel, which might be an issue with -# nginx configuration or the proxy you use. -APP_URL=http://localhost # The environment is usually 'production' but may be changed to 'local' for development APP_ENV=local # The app key is generated later, please leave it blank -APP_KEY= +APP_KEY=someRandomStringWith32Characters # Enable the debug more if you are running into issues or while developing APP_DEBUG=true # Indicates that the setup was completed and the app can be used now SETUP_COMPLETED=false -# Set the time after a session expires automatically, in minutes. Default is 7 days. -SESSION_LIFETIME=10080 - - -## Backup configuration -# Enable backups here -BACKUP_ENABLED=false -# Choose the destination of the backup. If you set up AWS S3 credentials below you may choose 's3' which is used -# as a synonym for AWS. Leave blank or set to 'local_backups' if you want to store backups within /storage/app/backups. -BACKUP_DISK=s3 -# The notification email may be used to get backup notifications -BACKUP_NOTIFICATION_EMAIL=your@email.com -# Maximum size of all backups in megabytes -BACKUP_MAX_SIZE=512 - - -## Amazon Web Services (AWS) S3 configuration -# Define the key ID, the access key, the region and your bucket name here if you want to use AWS S3 for backups. -AWS_ACCESS_KEY_ID= -AWS_SECRET_ACCESS_KEY= -AWS_DEFAULT_REGION=us-east-1 -AWS_BUCKET= - - -## Mail configuration -MAIL_FROM_ADDRESS=your@email.com -MAIL_FROM_NAME=LinkAce -# Set the driver used for sending email here, default is `smtp` -MAIL_DRIVER=smtp -# Set the SMTP host and its port here -MAIL_HOST=smtp.mailtrap.io -MAIL_PORT=2525 -# Set the username used to connect to the SMTP server here -MAIL_USERNAME=null -# Set the password used to connect to the SMTP server here -MAIL_PASSWORD=null -# If your SMTP server uses encrypted connections, enable it here by setting the variable to `tls` -MAIL_ENCRYPTION=null - ## Configuration of the database connection -## If you are using the standard configuration provided by LinkAce, you can leave all values except the password as -## they are. Docker will automatically create a linkace database and a corresponding user. +## Attention: Those settings are configured during the web setup, please do not modify them now. +# Set the database driver (mysql, pgsql, sqlsrv) DB_CONNECTION=mysql +# Set the host of your database here DB_HOST=db +# Set the port of your database here DB_PORT=3306 +# Set the database name here DB_DATABASE=linkace -# Even if you use the standard configuration, please set a secure password here. +# Set both username and password of the user accessing the database DB_USERNAME=linkace -DB_PASSWORD=changeThisPassword - +DB_PASSWORD=ChangeThisToASecurePassword! ## Redis cache configuration # Set the Redis connection here if you want to use it @@ -73,7 +31,6 @@ REDIS_HOST=redis REDIS_PASSWORD=changeThisPassword REDIS_PORT=6379 - ## You probably do not want to change any values blow. Only continue if you know what you are doing. # Configure various driver SESSION_DRIVER=redis @@ -81,11 +38,3 @@ LOG_CHANNEL=stack BROADCAST_DRIVER=log CACHE_DRIVER=redis QUEUE_DRIVER=database - -## Using Redis sockets -# If you want to use Redis via a Unix socket, you can remove the hash before the following lines, but remove one before -# the "CACHE_DRIVER" line above. Also, set a proper path to your Redis socket. -#CACHE_DRIVER=redis-socket -#SESSION_CONNECTION=redis-socket -#REDIS_SCHEME=unix -#REDIS_PATH=/path/to/redis.sock diff --git a/.env.docker.production b/.env.docker.production index 758cd60d..8cf679c2 100644 --- a/.env.docker.production +++ b/.env.docker.production @@ -1,91 +1,28 @@ ## LINKACE CONFIGURATION ## Basic app configuration -# The application name is used internally and may not be changed -APP_NAME=LinkAce COMPOSE_PROJECT_NAME=linkace -# The URL should be set if you notice issues with URLs generated by Laravel, which might be an issue with -# nginx configuration or the proxy you use. -APP_URL=http://localhost -# The environment is usually 'production' but may be changed to 'local' for development -APP_ENV=production # The app key is generated later, please leave it blank -APP_KEY= -# Enable the debug more if you are running into issues or while developing -APP_DEBUG=false +APP_KEY=someRandomStringWith32Characters # Indicates that the setup was completed and the app can be used now SETUP_COMPLETED=false -# Set the time after a session expires automatically, in minutes. Default is 7 days. -SESSION_LIFETIME=10080 - - -## Backup configuration -# Enable backups here -BACKUP_ENABLED=false -# Choose the destination of the backup. If you set up AWS S3 credentials below you may choose 's3' which is used -# as a synonym for AWS. Leave blank or set to 'local_backups' if you want to store backups within /storage/app/backups. -BACKUP_DISK=s3 -# The notification email may be used to get backup notifications -BACKUP_NOTIFICATION_EMAIL=your@email.com -# Maximum size of all backups in megabytes -BACKUP_MAX_SIZE=512 - - -## Amazon Web Services (AWS) S3 configuration -# Define the key ID, the access key, the region and your bucket name here if you want to use AWS S3 for backups. -AWS_ACCESS_KEY_ID= -AWS_SECRET_ACCESS_KEY= -AWS_DEFAULT_REGION=us-east-1 -AWS_BUCKET= - - -## Mail configuration -MAIL_FROM_ADDRESS=your@email.com -MAIL_FROM_NAME=LinkAce -# Set the driver used for sending email here, default is `smtp` -MAIL_DRIVER=smtp -# Set the SMTP host and its port here -MAIL_HOST=smtp.mailtrap.io -MAIL_PORT=2525 -# Set the username used to connect to the SMTP server here -MAIL_USERNAME=null -# Set the password used to connect to the SMTP server here -MAIL_PASSWORD=null -# If your SMTP server uses encrypted connections, enable it here by setting the variable to `tls` -MAIL_ENCRYPTION=null - ## Configuration of the database connection -## If you are using the standard configuration provided by LinkAce, you can leave all values except the password as -## they are. Docker will automatically create a linkace database and a corresponding user. +## Attention: Those settings are configured during the web setup, please do not modify them now. +# Set the database driver (mysql, pgsql, sqlsrv) DB_CONNECTION=mysql +# Set the host of your database here DB_HOST=db +# Set the port of your database here DB_PORT=3306 +# Set the database name here DB_DATABASE=linkace -# Even if you use the standard configuration, please set a secure password here. +# Set both username and password of the user accessing the database DB_USERNAME=linkace DB_PASSWORD=ChangeThisToASecurePassword! - ## Redis cache configuration # Set the Redis connection here if you want to use it REDIS_HOST=redis -REDIS_PASSWORD=ChangeThisToASecurePassword! +REDIS_PASSWORD=changeThisPassword REDIS_PORT=6379 - - -## You probably do not want to change any values blow. Only continue if you know what you are doing. -# Configure various driver -SESSION_DRIVER=file -LOG_CHANNEL=stack -BROADCAST_DRIVER=log -CACHE_DRIVER=file -QUEUE_DRIVER=database - -## Using Redis sockets -# If you want to use Redis via a Unix socket, you can remove the hash before the following lines, but remove one before -# the "CACHE_DRIVER" line above. Also, set a proper path to your Redis socket. -#CACHE_DRIVER=redis-socket -#SESSION_CONNECTION=redis-socket -#REDIS_SCHEME=unix -#REDIS_PATH=/path/to/redis.sock diff --git a/.env.example b/.env.example index 70a9da82..bd845be8 100644 --- a/.env.example +++ b/.env.example @@ -1,58 +1,10 @@ ## LINKACE CONFIGURATION ## Basic app configuration -# The application name is used internally and may not be changed -APP_NAME=LinkAce -# The URL should be set if you notice issues with URLs generated by Laravel, which might be an issue with -# nginx configuration or the proxy you use. -APP_URL=http://localhost -# The environment is usually 'production' but may be changed to 'local' for development -APP_ENV=production # The app key is generated later, please leave it blank -APP_KEY= -# Enable the debug more if you are running into issues or while developing -APP_DEBUG=false +APP_KEY=someRandomStringWith32Characters # Indicates that the setup was completed and the app can be used now SETUP_COMPLETED=false -# Set the time after a session expires automatically, in minutes. Default is 7 days. -SESSION_LIFETIME=10080 - - -## Backup configuration -# Enable backups here -BACKUP_ENABLED=false -# Choose the destination of the backup. If you set up AWS S3 credentials below you may choose 'cloud' which is used -# as a synonym for AWS. Leave blank or set to 'local_backups' if you want to store backups within /storage/app/backups. -BACKUP_DISK=s3 -# The notification email may be used to get backup notifications, Mail must be configured for this to work! -BACKUP_NOTIFICATION_EMAIL=your@email.com -# Maximum size of the backups in megabytes -BACKUP_MAX_SIZE=512 - - -## Amazon Web Services (AWS) S3 configuration -# Define the key ID, the access key, the region and your bucket name here if you want to use AWS S3 for backups. -AWS_ACCESS_KEY_ID= -AWS_SECRET_ACCESS_KEY= -AWS_DEFAULT_REGION=us-east-1 -AWS_BUCKET= - - -## Mail configuration -MAIL_FROM_ADDRESS=your@email.com -MAIL_FROM_NAME=LinkAce -# Set the driver used for sending email here, default is `smtp` -MAIL_DRIVER=smtp -# Set the SMTP host and its port here -MAIL_HOST=smtp.mailtrap.io -MAIL_PORT=2525 -# Set the username used to connect to the SMTP server here -MAIL_USERNAME=null -# Set the password used to connect to the SMTP server here -MAIL_PASSWORD=null -# If your SMTP server uses encrypted connections, enable it here by setting the variable to `tls` -MAIL_ENCRYPTION=null - ## Configuration of the database connection ## Attention: Those settings are configured during the web setup, please do not modify them now. @@ -67,27 +19,3 @@ DB_DATABASE=linkace # Set both username and password of the user accessing the database DB_USERNAME=linkace DB_PASSWORD=ChangeThisToASecurePassword! - - -## Redis cache configuration -# Set the Redis connection here if you want to use it -REDIS_HOST=127.0.0.1 -REDIS_PASSWORD=ChangeThisToASecurePassword! -REDIS_PORT=6379 - - -## You probably do not want to change any values below. Only continue if you know what you are doing. -## If you are using Redis, you may switch SESSION_DRIVER and CACHE_DRIVER to "redis" to improve performance. -SESSION_DRIVER=file -LOG_CHANNEL=stack -BROADCAST_DRIVER=log -CACHE_DRIVER=file -QUEUE_DRIVER=database - -## Using Redis sockets -# If you want to use Redis via a Unix socket, you can remove the hash before the following lines, but remove one before -# the "CACHE_DRIVER" line above. Also, set a proper path to your Redis socket. -#CACHE_DRIVER=redis-socket -#SESSION_CONNECTION=redis-socket -#REDIS_SCHEME=unix -#REDIS_PATH=/path/to/redis.sock diff --git a/app/Http/Middleware/SetupCheckMiddleware.php b/app/Http/Middleware/SetupCheckMiddleware.php index c6220a5c..d95a8bd6 100644 --- a/app/Http/Middleware/SetupCheckMiddleware.php +++ b/app/Http/Middleware/SetupCheckMiddleware.php @@ -3,12 +3,18 @@ namespace App\Http\Middleware; use Closure; +use Illuminate\Encryption\Encrypter; use Illuminate\Http\Request; +use Illuminate\Support\Facades\File; +use Illuminate\Support\Facades\Log; class SetupCheckMiddleware { + public const GENERIC_APP_KEY = 'someRandomStringWith32Characters'; + /** - * Handle an incoming request. + * This middleware checks if LinkAce was correctly set up: + * Is a proper app key set and was the setup completed correctly? * * @param Request $request * @param Closure $next @@ -16,6 +22,15 @@ class SetupCheckMiddleware */ public function handle(Request $request, Closure $next) { + if (config('app.key') === self::GENERIC_APP_KEY) { + $envContent = File::get(base_path('.env')); + $envContent = preg_replace('/APP_KEY=(.*)\S/', 'APP_KEY=' . $this->generateRandomAppKey(), $envContent); + File::put(base_path('.env'), $envContent); + + Log::warning('APP_KEY variable contained insecure standard value. New key was generated.'); + return redirect()->refresh(); + } + if ($request->is('setup/*')) { if (config('app.setup_completed') === true) { // Do not allow access to setup after it was completed @@ -33,4 +48,9 @@ class SetupCheckMiddleware return $next($request); } + + protected function generateRandomAppKey(): string + { + return 'base64:' . base64_encode(Encrypter::generateKey(config('app.cipher'))); + } } diff --git a/config/mail.php b/config/mail.php index 3c65eb3f..6707c712 100644 --- a/config/mail.php +++ b/config/mail.php @@ -57,7 +57,7 @@ return [ 'from' => [ 'address' => env('MAIL_FROM_ADDRESS', 'hello@example.com'), - 'name' => env('MAIL_FROM_NAME', 'Example'), + 'name' => env('MAIL_FROM_NAME', 'LinkAce'), ], /* diff --git a/config/session.php b/config/session.php index be5ab5e2..0029bff3 100644 --- a/config/session.php +++ b/config/session.php @@ -31,7 +31,7 @@ return [ | */ - 'lifetime' => env('SESSION_LIFETIME', 120), + 'lifetime' => env('SESSION_LIFETIME', 10080), 'expire_on_close' => false,