docs(security): update secret key generation instructions to use base64 encoding

Replace all references to `openssl rand -hex 32` with `openssl rand -base64 32`
in environment variable examples and documentation. This change standardizes
the recommended method for generating strong random secrets, improving
compatibility and clarity for users configuring authentication and cron secrets.
This commit is contained in:
Richard R 2026-06-07 14:07:45 -06:00
parent e670c38523
commit 0f6f9cc407
6 changed files with 12 additions and 12 deletions

View file

@ -18,7 +18,7 @@ API_KEY=
# Auth configuration (required in v4+) # Auth configuration (required in v4+)
BASE_URL=http://localhost:3003 # Externally facing URL for this app (set to LAN IP for access from other devices on the network) BASE_URL=http://localhost:3003 # Externally facing URL for this app (set to LAN IP for access from other devices on the network)
AUTH_SECRET=some_random_secret_key # Generate with `openssl rand -hex 32` AUTH_SECRET=some_random_secret_key # Generate with `openssl rand -base64 32`
AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 # Additional trusted origins (BASE_URL is always trusted) AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 # Additional trusted origins (BASE_URL is always trusted)
# (Optional) Allow anonymous auth sessions (default: `false`) # (Optional) Allow anonymous auth sessions (default: `false`)
# USE_ANONYMOUS_AUTH_SESSIONS=false # USE_ANONYMOUS_AUTH_SESSIONS=false

View file

@ -250,7 +250,7 @@ Use one of these `.env` mode templates:
```env ```env
API_BASE=http://host.docker.internal:8880/v1 API_BASE=http://host.docker.internal:8880/v1
BASE_URL=http://localhost:3003 BASE_URL=http://localhost:3003
AUTH_SECRET=<generate-with-openssl-rand-hex-32> AUTH_SECRET=<generate-with-openssl-rand-base64-32>
# Optional when you need multiple local origins: # Optional when you need multiple local origins:
# AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 # AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003
``` ```
@ -263,7 +263,7 @@ AUTH_SECRET=<generate-with-openssl-rand-hex-32>
# on first boot, then no longer read. Manage them in Settings → Admin afterwards. # on first boot, then no longer read. Manage them in Settings → Admin afterwards.
API_BASE=http://host.docker.internal:8880/v1 API_BASE=http://host.docker.internal:8880/v1
BASE_URL=http://localhost:3003 BASE_URL=http://localhost:3003
AUTH_SECRET=<generate-with-openssl-rand-hex-32> AUTH_SECRET=<generate-with-openssl-rand-base64-32>
# Comma-separated emails to auto-promote to admin on signin. # Comma-separated emails to auto-promote to admin on signin.
ADMIN_EMAILS=you@example.com ADMIN_EMAILS=you@example.com
``` ```
@ -275,7 +275,7 @@ ADMIN_EMAILS=you@example.com
API_BASE=http://host.docker.internal:8880/v1 API_BASE=http://host.docker.internal:8880/v1
USE_EMBEDDED_WEED_MINI=false USE_EMBEDDED_WEED_MINI=false
BASE_URL=http://localhost:3003 BASE_URL=http://localhost:3003
AUTH_SECRET=<generate-with-openssl-rand-hex-32> AUTH_SECRET=<generate-with-openssl-rand-base64-32>
S3_BUCKET=your-bucket S3_BUCKET=your-bucket
S3_REGION=us-east-1 S3_REGION=us-east-1
S3_ACCESS_KEY_ID=your-access-key S3_ACCESS_KEY_ID=your-access-key
@ -291,7 +291,7 @@ S3_SECRET_ACCESS_KEY=your-secret-key
```env ```env
API_BASE=http://host.docker.internal:8880/v1 API_BASE=http://host.docker.internal:8880/v1
BASE_URL=http://localhost:3003 BASE_URL=http://localhost:3003
AUTH_SECRET=<generate-with-openssl-rand-hex-32> AUTH_SECRET=<generate-with-openssl-rand-base64-32>
COMPUTE_WORKER_URL=http://localhost:8081 COMPUTE_WORKER_URL=http://localhost:8081
COMPUTE_WORKER_TOKEN=<same-token-used-by-worker> COMPUTE_WORKER_TOKEN=<same-token-used-by-worker>
USE_EMBEDDED_WEED_MINI=false USE_EMBEDDED_WEED_MINI=false

View file

@ -36,7 +36,7 @@ S3_PREFIX=openreader
BASE_URL=https://your-app.vercel.app BASE_URL=https://your-app.vercel.app
AUTH_SECRET=... AUTH_SECRET=...
ADMIN_EMAILS=you@example.com # comma-separated; admins manage TTS + features in-app ADMIN_EMAILS=you@example.com # comma-separated; admins manage TTS + features in-app
CRON_SECRET=... # generate with: openssl rand -hex 32 CRON_SECRET=... # generate with: openssl rand -base64 32
# Heavy compute (required on Vercel in current releases) # Heavy compute (required on Vercel in current releases)
COMPUTE_WORKER_URL=https://<railway-worker-domain> COMPUTE_WORKER_URL=https://<railway-worker-domain>

View file

@ -43,7 +43,7 @@ docker run --name openreader \
-v openreader_docstore:/app/docstore \ -v openreader_docstore:/app/docstore \
-e API_BASE=http://host.docker.internal:8880/v1 \ -e API_BASE=http://host.docker.internal:8880/v1 \
-e BASE_URL=http://localhost:3003 \ -e BASE_URL=http://localhost:3003 \
-e AUTH_SECRET=$(openssl rand -hex 32) \ -e AUTH_SECRET=$(openssl rand -base64 32) \
-e ADMIN_EMAILS=you@example.com \ -e ADMIN_EMAILS=you@example.com \
ghcr.io/richardr1126/openreader:latest ghcr.io/richardr1126/openreader:latest
``` ```
@ -70,7 +70,7 @@ docker run --name openreader \
-v openreader_docstore:/app/docstore \ -v openreader_docstore:/app/docstore \
-e API_BASE=http://host.docker.internal:8880/v1 \ -e API_BASE=http://host.docker.internal:8880/v1 \
-e BASE_URL=http://<YOUR_LAN_IP>:3003 \ -e BASE_URL=http://<YOUR_LAN_IP>:3003 \
-e AUTH_SECRET=$(openssl rand -hex 32) \ -e AUTH_SECRET=$(openssl rand -base64 32) \
-e AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 \ -e AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 \
-e USE_ANONYMOUS_AUTH_SESSIONS=true \ -e USE_ANONYMOUS_AUTH_SESSIONS=true \
-e ADMIN_EMAILS=you@example.com \ -e ADMIN_EMAILS=you@example.com \
@ -101,7 +101,7 @@ docker run --name openreader \
-p 3003:3003 \ -p 3003:3003 \
-p 8333:8333 \ -p 8333:8333 \
-e BASE_URL=http://localhost:3003 \ -e BASE_URL=http://localhost:3003 \
-e AUTH_SECRET=$(openssl rand -hex 32) \ -e AUTH_SECRET=$(openssl rand -base64 32) \
ghcr.io/richardr1126/openreader:latest ghcr.io/richardr1126/openreader:latest
``` ```

View file

@ -111,7 +111,7 @@ Required external base URL for this OpenReader instance.
Required secret key used by auth/session handling. Required secret key used by auth/session handling.
- Required at startup - Required at startup
- Generate with `openssl rand -hex 32` - Generate with `openssl rand -base64 32`
### AUTH_TRUSTED_ORIGINS ### AUTH_TRUSTED_ORIGINS
@ -151,7 +151,7 @@ Bearer-token secret for `GET /api/admin/tasks/tick`.
- Required on Vercel so scheduled maintenance tasks can run from the configured Vercel Cron. - Required on Vercel so scheduled maintenance tasks can run from the configured Vercel Cron.
- Vercel automatically sends `Authorization: Bearer <CRON_SECRET>` on cron invocations. - Vercel automatically sends `Authorization: Bearer <CRON_SECRET>` on cron invocations.
- Generate a strong random value, for example with `openssl rand -hex 32`. - Generate a strong random value, for example with `openssl rand -base64 32`.
- Self-hosted Node.js deployments run the scheduler in-process and do not require this variable. - Self-hosted Node.js deployments run the scheduler in-process and do not require this variable.
## Database and Object Blob Storage ## Database and Object Blob Storage

View file

@ -332,7 +332,7 @@ export default async function LandingPage() {
{' '}-e BASE_URL= {' '}-e BASE_URL=
<span className="public-term-accent">http://localhost:3003</span> \{'\n'} <span className="public-term-accent">http://localhost:3003</span> \{'\n'}
{' '}-e AUTH_SECRET= {' '}-e AUTH_SECRET=
<span className="public-term-accent">$(openssl rand -hex 32)</span> \{'\n'} <span className="public-term-accent">$(openssl rand -base64 32)</span> \{'\n'}
{' '}-e ADMIN_EMAILS= {' '}-e ADMIN_EMAILS=
<span className="public-term-accent">you@example.com</span> \{'\n'} <span className="public-term-accent">you@example.com</span> \{'\n'}
{' '}ghcr.io/richardr1126/openreader:latest{'\n'} {' '}ghcr.io/richardr1126/openreader:latest{'\n'}