Gronod
c0dd93a1ab
Some checks failed
Build and Push Docker Image / build (push) Successful in 59s
CI / Security audit (push) Successful in 1m5s
CI / Tests & coverage (push) Successful in 1m24s
Docs Check / Markdown lint (push) Failing after 45s
Docs Check / Mermaid diagram parse check (push) Successful in 1m27s
CI / Security audit (pull_request) Successful in 51s
CI / Tests & coverage (pull_request) Successful in 1m1s
Docs Check / Markdown lint (pull_request) Failing after 39s
Docs Check / Mermaid diagram parse check (pull_request) Successful in 1m12s
Phase 1 - Licensing & Compliance: - Add MIT LICENSE file - Add copyright headers to server/index.js, poller.js, config.js, sanitizeError.js, and new loadSecrets.js Phase 2 - Security Hardening: - Add server/utils/loadSecrets.js: Docker secrets support via _FILE env var pattern (COOKIE_SECRET_FILE, EMBY_API_KEY_FILE, etc.) - Add SSRF/URL validation in config.js: validates all configured service instance URLs for scheme and well-formedness at startup - Add SIGTERM/SIGINT graceful shutdown: stops poller, drains HTTP connections, 10s force-exit fallback - Warn at startup if COOKIE_SECRET is shorter than 32 characters - Validate EMBY_URL scheme at startup - Improve sanitizeError: redact host:port from axios error URLs while preserving path/query for other redaction patterns Phase 3 - Config Robustness: - Weak COOKIE_SECRET warning (< 32 chars) - EMBY_URL validated via validateInstanceUrl on startup Phase 4 - Docker & Deployment: - .dockerignore: add tests/, coverage/, vitest.config.js, CHANGELOG.md, SECURITY.md, LICENSE, .markdownlint.json - docker-compose.yaml: add commented Option B (Docker secrets _FILE pattern) alongside existing plain-env Option A Phase 5 - Docs & Release Readiness: - Add CHANGELOG.md with entries from v1.0.0 to v1.2.0 - Update SECURITY.md: supported versions table, fix Docker secrets note to reflect _FILE support now implemented - Add public/.well-known/security.txt for responsible disclosure - Bump version to 1.2.0
53 lines
1.8 KiB
JavaScript
53 lines
1.8 KiB
JavaScript
// Copyright (c) 2025 Gordon Bolton. MIT License.
|
|
//
|
|
// Docker secrets support: if an environment variable named FOO_FILE is set,
|
|
// read its contents from the file at that path and expose it as FOO.
|
|
// This follows the standard *_FILE convention used by official Docker images.
|
|
//
|
|
// Supported secrets:
|
|
// COOKIE_SECRET_FILE → COOKIE_SECRET
|
|
// EMBY_API_KEY_FILE → EMBY_API_KEY
|
|
// SABNZBD_API_KEY_FILE → SABNZBD_API_KEY (legacy single-instance)
|
|
// SONARR_API_KEY_FILE → SONARR_API_KEY (legacy single-instance)
|
|
// RADARR_API_KEY_FILE → RADARR_API_KEY (legacy single-instance)
|
|
// QBITTORRENT_PASSWORD_FILE → QBITTORRENT_PASSWORD (legacy single-instance)
|
|
//
|
|
// For multi-instance JSON arrays the secret values must be embedded in the
|
|
// JSON string itself; file-based loading is for the legacy single-key format.
|
|
|
|
const fs = require('fs');
|
|
|
|
const SECRET_MAPPINGS = [
|
|
'COOKIE_SECRET',
|
|
'EMBY_API_KEY',
|
|
'SABNZBD_API_KEY',
|
|
'SONARR_API_KEY',
|
|
'RADARR_API_KEY',
|
|
'QBITTORRENT_PASSWORD',
|
|
];
|
|
|
|
function loadSecrets() {
|
|
for (const key of SECRET_MAPPINGS) {
|
|
const fileEnv = `${key}_FILE`;
|
|
const filePath = process.env[fileEnv];
|
|
if (!filePath) continue;
|
|
if (process.env[key]) {
|
|
console.warn(`[Secrets] Both ${key} and ${fileEnv} are set — ${fileEnv} takes precedence`);
|
|
}
|
|
try {
|
|
const value = fs.readFileSync(filePath, 'utf8').trim();
|
|
if (!value) {
|
|
console.warn(`[Secrets] ${fileEnv} points to an empty file: ${filePath}`);
|
|
continue;
|
|
}
|
|
process.env[key] = value;
|
|
console.log(`[Secrets] Loaded ${key} from ${fileEnv}`);
|
|
} catch (err) {
|
|
console.error(`[Secrets] Failed to read ${fileEnv} (${filePath}): ${err.message}`);
|
|
process.exit(1);
|
|
}
|
|
}
|
|
}
|
|
|
|
module.exports = loadSecrets;
|