Encrypt OTP secret

2025-10-05 19:42:24 +02:00 · 2022-10-10 11:12:23 +02:00 · 2022-10-10 11:12:23 +02:00 · a3e5f804ad
commit a3e5f804ad
parent a0da6f90d1
16 changed files with 149 additions and 18 deletions
--- a/server/initializers/checker-after-init.ts
+++ b/server/initializers/checker-after-init.ts
@ -42,6 +42,7 @@ function checkConfig () {
    logger.warn('services.csp-logger configuration has been renamed to csp.report_uri. Please update your configuration file.')
  }

+  checkSecretsConfig()
  checkEmailConfig()
  checkNSFWPolicyConfig()
  checkLocalRedundancyConfig()
@ -103,6 +104,12 @@ export {

 // ---------------------------------------------------------------------------

+function checkSecretsConfig () {
+  if (!CONFIG.SECRETS.PEERTUBE) {
+    throw new Error('secrets.peertube is missing in config. Generate one using `openssl rand -hex 32`')
+  }
+}
+
 function checkEmailConfig () {
  if (!isEmailEnabled()) {
    if (CONFIG.SIGNUP.ENABLED && CONFIG.SIGNUP.REQUIRES_EMAIL_VERIFICATION) {
--- a/server/initializers/checker-before-init.ts
+++ b/server/initializers/checker-before-init.ts
@ -11,6 +11,7 @@ const config: IConfig = require('config')
 function checkMissedConfig () {
  const required = [ 'listen.port', 'listen.hostname',
    'webserver.https', 'webserver.hostname', 'webserver.port',
+    'secrets.peertube',
    'trust_proxy',
    'database.hostname', 'database.port', 'database.username', 'database.password', 'database.pool.max',
    'smtp.hostname', 'smtp.port', 'smtp.username', 'smtp.password', 'smtp.tls', 'smtp.from_address',
--- a/server/initializers/config.ts
+++ b/server/initializers/config.ts
@ -20,6 +20,9 @@ const CONFIG = {
    PORT: config.get<number>('listen.port'),
    HOSTNAME: config.get<string>('listen.hostname')
  },
+  SECRETS: {
+    PEERTUBE: config.get<string>('secrets.peertube')
+  },
  DATABASE: {
    DBNAME: config.has('database.name') ? config.get<string>('database.name') : 'peertube' + config.get<string>('database.suffix'),
    HOSTNAME: config.get<string>('database.hostname'),
--- a/server/initializers/constants.ts
+++ b/server/initializers/constants.ts
@ -1,5 +1,5 @@
 import { RepeatOptions } from 'bullmq'
-import { randomBytes } from 'crypto'
+import { Encoding, randomBytes } from 'crypto'
 import { invert } from 'lodash'
 import { join } from 'path'
 import { randomInt, root } from '@shared/core-utils'
@ -637,6 +637,13 @@ let PRIVATE_RSA_KEY_SIZE = 2048
 // Password encryption
 const BCRYPT_SALT_SIZE = 10

+const ENCRYPTION = {
+  ALGORITHM: 'aes-256-cbc',
+  IV: 16,
+  SALT: 'peertube',
+  ENCODING: 'hex' as Encoding
+}
+
 const USER_PASSWORD_RESET_LIFETIME = 60000 * 60 // 60 minutes
 const USER_PASSWORD_CREATE_LIFETIME = 60000 * 60 * 24 * 7 // 7 days

@ -959,6 +966,7 @@ const VIDEO_FILTERS = {
 export {
  WEBSERVER,
  API_VERSION,
+  ENCRYPTION,
  VIDEO_LIVE,
  PEERTUBE_VERSION,
  LAZY_STATIC_PATHS,