From d075ea3b21c7b3df921835f5b9f1126c5dfbe243 Mon Sep 17 00:00:00 2001 From: Marc Scholten Date: Tue, 27 Feb 2024 21:22:05 +0100 Subject: [PATCH] Added new-session-secret binary (#1922) * Added new-session-secret binary * added notes on how generate a new session secret using new-session-secret * fixed cabal build --- Guide/deployment.markdown | 21 +++++++++++++++------ exe/IHP/CLI/NewSessionSecret.hs | 15 +++++++++++++++ ihp.cabal | 7 +++++++ 3 files changed, 37 insertions(+), 6 deletions(-) create mode 100644 exe/IHP/CLI/NewSessionSecret.hs diff --git a/Guide/deployment.markdown b/Guide/deployment.markdown index 4b05ade3b..643e875b1 100644 --- a/Guide/deployment.markdown +++ b/Guide/deployment.markdown @@ -620,19 +620,28 @@ $ ./build/bin/RunProdServer #### `IHP_SESSION_SECRET` -In production setup's you want to configure the `IHP_SESSION_SECRET` env variable. It's a private key used to encrypt your session state. If it's not specified, a new one will generated on each container start. This means that all your users will have to re-login on each container start. +In production setup's you want to configure the `IHP_SESSION_SECRET` env variable. It's a private key used to encrypt your session state. If it's not specified, a new one will generated on each app start. This means that all your users will have to re-login on each app start. **Note on `Config/client_session_key.aes`:** The `IHP_SESSION_SECRET` env variable is an alternative for placing a `Config/client_session_key.aes` inside the your repository. If IHP detects a `Config/` folder, and no `IHP_SESSION_SECRET` is set, it will automatically create a `Config/client_session_key.aes` file. This is designed for persistent sessions in development mode. -When you start an app without specifying the `IHP_SESSION_SECRET` and no `Config/client_session_key.aes` is found, the app will output the randomly generated one. So you can get a new secret key by starting a new container and copying the value: +When you start an app without specifying the `IHP_SESSION_SECRET` and no `Config/client_session_key.aes` is found, the app will output the randomly generated one. So you can get a new secret key by starting a new container and copying the value. + +An easier way is to use the `new-session-secret` CLI command: ```bash -$ ./build/bin/RunProdServer -IHP_SESSION_SECRET=1J8jtRW331a0IbHBCHmsFNoesQUNFnuHqY8cB5927KsoV5sYmiq3DMmvsYk5S7EDma9YhqZLZWeTFu2pGOxMT2F/5PnifW/5ffwJjZvZcJh9MKPh3Ez9fmPEyxZBDxVp -Server started +$ new-session-secret +1J8jtRW331a0IbHBCHmsFNoesQUNFnuHqY8cB5927KsoV5sYmiq3DMmvsYk5S7EDma9YhqZLZWeTFu2pGOxMT2F/5PnifW/5ffwJjZvZcJh9MKPh3Ez9fmPEyxZBDxVp ``` -There we can copy the `IHP_SESSION_SECRET=1J8jtRW331a0IbHBCHmsFNoesQUNFnuHqY8cB5927KsoV5sYmiq3DMmvsYk5S7EDma9YhqZLZWeTFu2pGOxMT2F/5PnifW/5ffwJjZvZcJh9MKPh3Ez9fmPEyxZBDxVp` value and use it as our secret: +On macOS you can directly copy this into your clipboard like this: + +```bash +$ new-session-secret | pbcopy +``` + +Then you can paste the value where needed. + +Now we can use this secret and pass it to the app binary via the `IHP_SESSION_SECRET` env var: ```bash $ export IHP_SESSION_SECRET="1J8jtRW331a0IbHBCHmsFNoesQUNFnuHqY8cB5927KsoV5sYmiq3DMmvsYk5S7EDma9YhqZLZWeTFu2pGOxMT2F/5PnifW/5ffwJjZvZcJh9MKPh3Ez9fmPEyxZBDxVp" diff --git a/exe/IHP/CLI/NewSessionSecret.hs b/exe/IHP/CLI/NewSessionSecret.hs new file mode 100644 index 000000000..32f8c3ac8 --- /dev/null +++ b/exe/IHP/CLI/NewSessionSecret.hs @@ -0,0 +1,15 @@ +module Main where + +import Prelude +import Main.Utf8 (withUtf8) +import qualified Web.ClientSession as ClientSession +import qualified Data.ByteString as ByteString +import qualified Data.ByteString.Char8 as Char8 +import qualified Data.ByteString.Base64 as Base64 + +-- Prints a private key to be used as the IHP_SESSION_SECRET +main :: IO () +main = withUtf8 do + (string, _) <- ClientSession.randomKey + let encoded = Base64.encode string + ByteString.putStr encoded \ No newline at end of file diff --git a/ihp.cabal b/ihp.cabal index 41d1e0cee..217fcbbc3 100644 --- a/ihp.cabal +++ b/ihp.cabal @@ -467,3 +467,10 @@ executable hash-password build-depends: ihp hs-source-dirs: exe main-is: IHP/CLI/HashPassword.hs + +executable new-session-secret + default-language: Haskell2010 + default-extensions: BlockArguments + build-depends: base, clientsession, bytestring, with-utf8, base64-bytestring + hs-source-dirs: exe + main-is: IHP/CLI/NewSessionSecret.hs