ClusterCockpit/cc-backend
1
0
Fork 0
mirror of https://github.com/ClusterCockpit/cc-backend synced 2026-06-18 01:17:29 +02:00
Code Issues Packages Releases Activity

feat(auth): replace .env/godotenv secret handling with config-based secrets

Browse Source 
Secrets (JWT keys, LDAP sync password, OIDC client id/secret, cross-login
keys) are now configured directly in config.json under the auth section
where they are used. Each secret can still be supplied via its existing
environment variable, which takes precedence over the config value.

The godotenv dependency, the .env file, configs/env-template.txt and the
loadEnvironment() bootstrap step are removed. -init now writes the demo
JWT keys into config.json instead of a .env file.

Closes #283

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Entire-Checkpoint: 3a7cb814c53f
This commit is contained in:
Jan Eitzinger
2026-06-17 12:28:17 +02:00
parent 07b9a57479
commit 83d04dff17
22 changed files with 151 additions and 95 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
README.md
View File

@@ -129,12 +129,11 @@ git clone https://github.com/ClusterCockpit/cc-backend.git
cd ./cc-backend/
make
# EDIT THE .env FILE BEFORE YOU DEPLOY (Change the secrets)!
# If authentication is disabled, it can be empty.
cp configs/env-template.txt .env
vim .env
cp configs/config.json .
# EDIT config.json BEFORE YOU DEPLOY: change the secrets under "auth.jwts"
# ("public-key"/"private-key"). Each secret can also be supplied via an
# environment variable (e.g. JWT_PUBLIC_KEY), which takes precedence over the
# value in config.json.
vim config.json
#Optional: Link an existing job archive:
@@ -157,8 +156,14 @@ ln -s <your-existing-job-archive> ./var/job-archive
Browser sessions are stored server-side in the SQLite database (the `sessions`
table) using [`alexedwards/scs`](https://github.com/alexedwards/scs); only an
opaque random token is kept in the session cookie. No cookie-signing secret is
required, so the former `SESSION_KEY` environment variable is no longer used and
can be removed from your `.env`.
required, so the former `SESSION_KEY` environment variable is no longer used.
Secrets (JWT keys, LDAP sync password, OIDC client id/secret, cross-login keys)
are configured directly in `config.json` under the `auth` section. Each secret
may also be supplied via its environment variable (e.g. `JWT_PUBLIC_KEY`,
`JWT_PRIVATE_KEY`, `LDAP_ADMIN_PASSWORD`, `OID_CLIENT_ID`, `OID_CLIENT_SECRET`,
`CROSS_LOGIN_JWT_PUBLIC_KEY`, `CROSS_LOGIN_JWT_HS512_KEY`); the environment
variable takes precedence when set. The previous `.env` file is no longer used.
The session cookie's `Secure` flag is set automatically when cc-backend serves
HTTPS itself (i.e. `https-cert-file` and `https-key-file` are configured in