From 1647092b3c77ac271f4b50a3ee9bdfd3d6be4345 Mon Sep 17 00:00:00 2001 From: Samantaz Fox Date: Sat, 1 Jul 2023 19:29:24 +0200 Subject: [PATCH 1/4] Config: Make 'hmac_key' mandatory --- src/invidious/config.cr | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/invidious/config.cr b/src/invidious/config.cr index 9fc58409..7030c925 100644 --- a/src/invidious/config.cr +++ b/src/invidious/config.cr @@ -85,7 +85,7 @@ class Config # Used to tell Invidious it is behind a proxy, so links to resources should be https:// property https_only : Bool? # HMAC signing key for CSRF tokens and verifying pubsub subscriptions - property hmac_key : String? + property hmac_key : String = "" # Domain to be used for links to resources on the site where an absolute URL is required property domain : String? # Subscribe to channels using PubSubHubbub (requires domain, hmac_key) @@ -204,6 +204,13 @@ class Config end {% end %} + # HMAC_key is mandatory + # See: https://github.com/iv-org/invidious/issues/3854 + if config.hmac_key.empty? + puts "Config: 'hmac_key' is required/can't be empty" + exit(1) + end + # Build database_url from db.* if it's not set directly if config.database_url.to_s.empty? if db = config.db @@ -216,7 +223,7 @@ class Config path: db.dbname, ) else - puts "Config : Either database_url or db.* is required" + puts "Config: Either database_url or db.* is required" exit(1) end end From f64e311dcd656b3552b21b7bd3998d82bc8da900 Mon Sep 17 00:00:00 2001 From: Samantaz Fox Date: Sat, 1 Jul 2023 19:29:40 +0200 Subject: [PATCH 2/4] Config: Update example config documentation --- config/config.example.yml | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/config/config.example.yml b/config/config.example.yml index c591eb6a..2da6e55e 100644 --- a/config/config.example.yml +++ b/config/config.example.yml @@ -455,13 +455,17 @@ jobs: #use_pubsub_feeds: false ## -## HMAC signing key used for CSRF tokens and pubsub +## HMAC signing key used for CSRF tokens, cookies and pubsub ## subscriptions verification. ## +## Note: This parameter is mandatory and should be a random string. +## Such random string can be generated on linux with the following +## command: `pwdgen 20 1` +## ## Accepted values: a string ## Default: ## -#hmac_key: +hmac_key: "CHANGE_ME!!" ## ## List of video IDs where the "download" widget must be From ba43365acb20ee4fe1b94e9457595fa6e30ae8f9 Mon Sep 17 00:00:00 2001 From: Samantaz Fox Date: Sat, 1 Jul 2023 19:38:50 +0200 Subject: [PATCH 3/4] Config: Stop if 'hmac_key' is the default value --- src/invidious/config.cr | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/invidious/config.cr b/src/invidious/config.cr index 7030c925..e5f1e822 100644 --- a/src/invidious/config.cr +++ b/src/invidious/config.cr @@ -209,6 +209,9 @@ class Config if config.hmac_key.empty? puts "Config: 'hmac_key' is required/can't be empty" exit(1) + elsif config.hmac_key == "CHANGE_ME!!" + puts "Config: The value of 'hmac_key' needs to be changed!!" + exit(1) end # Build database_url from db.* if it's not set directly From e2a6f5ddf26f7fca4ffe9be867dd15a3ed5f73b0 Mon Sep 17 00:00:00 2001 From: Samantaz Fox Date: Sat, 1 Jul 2023 19:40:28 +0200 Subject: [PATCH 4/4] Docker: Add 'hmac_key' to docker-compose.yml --- docker-compose.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/docker-compose.yml b/docker-compose.yml index eb83b020..6a854475 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -30,6 +30,7 @@ services: # domain: # https_only: false # statistics_enabled: false + hmac_key: "CHANGE_ME!!" healthcheck: test: wget -nv --tries=1 --spider http://127.0.0.1:3000/api/v1/comments/jNQXAC9IVRw || exit 1 interval: 30s