docs(security): update secret key generation instructions to use base64 encoding
Replace all references to `openssl rand -hex 32` with `openssl rand -base64 32` in environment variable examples and documentation. This change standardizes the recommended method for generating strong random secrets, improving compatibility and clarity for users configuring authentication and cron secrets.
This commit is contained in:
parent
e670c38523
commit
0f6f9cc407
6 changed files with 12 additions and 12 deletions
|
|
@ -18,7 +18,7 @@ API_KEY=
|
||||||
|
|
||||||
# Auth configuration (required in v4+)
|
# Auth configuration (required in v4+)
|
||||||
BASE_URL=http://localhost:3003 # Externally facing URL for this app (set to LAN IP for access from other devices on the network)
|
BASE_URL=http://localhost:3003 # Externally facing URL for this app (set to LAN IP for access from other devices on the network)
|
||||||
AUTH_SECRET=some_random_secret_key # Generate with `openssl rand -hex 32`
|
AUTH_SECRET=some_random_secret_key # Generate with `openssl rand -base64 32`
|
||||||
AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 # Additional trusted origins (BASE_URL is always trusted)
|
AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 # Additional trusted origins (BASE_URL is always trusted)
|
||||||
# (Optional) Allow anonymous auth sessions (default: `false`)
|
# (Optional) Allow anonymous auth sessions (default: `false`)
|
||||||
# USE_ANONYMOUS_AUTH_SESSIONS=false
|
# USE_ANONYMOUS_AUTH_SESSIONS=false
|
||||||
|
|
|
||||||
|
|
@ -250,7 +250,7 @@ Use one of these `.env` mode templates:
|
||||||
```env
|
```env
|
||||||
API_BASE=http://host.docker.internal:8880/v1
|
API_BASE=http://host.docker.internal:8880/v1
|
||||||
BASE_URL=http://localhost:3003
|
BASE_URL=http://localhost:3003
|
||||||
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
|
AUTH_SECRET=<generate-with-openssl-rand-base64-32>
|
||||||
# Optional when you need multiple local origins:
|
# Optional when you need multiple local origins:
|
||||||
# AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003
|
# AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003
|
||||||
```
|
```
|
||||||
|
|
@ -263,7 +263,7 @@ AUTH_SECRET=<generate-with-openssl-rand-hex-32>
|
||||||
# on first boot, then no longer read. Manage them in Settings → Admin afterwards.
|
# on first boot, then no longer read. Manage them in Settings → Admin afterwards.
|
||||||
API_BASE=http://host.docker.internal:8880/v1
|
API_BASE=http://host.docker.internal:8880/v1
|
||||||
BASE_URL=http://localhost:3003
|
BASE_URL=http://localhost:3003
|
||||||
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
|
AUTH_SECRET=<generate-with-openssl-rand-base64-32>
|
||||||
# Comma-separated emails to auto-promote to admin on signin.
|
# Comma-separated emails to auto-promote to admin on signin.
|
||||||
ADMIN_EMAILS=you@example.com
|
ADMIN_EMAILS=you@example.com
|
||||||
```
|
```
|
||||||
|
|
@ -275,7 +275,7 @@ ADMIN_EMAILS=you@example.com
|
||||||
API_BASE=http://host.docker.internal:8880/v1
|
API_BASE=http://host.docker.internal:8880/v1
|
||||||
USE_EMBEDDED_WEED_MINI=false
|
USE_EMBEDDED_WEED_MINI=false
|
||||||
BASE_URL=http://localhost:3003
|
BASE_URL=http://localhost:3003
|
||||||
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
|
AUTH_SECRET=<generate-with-openssl-rand-base64-32>
|
||||||
S3_BUCKET=your-bucket
|
S3_BUCKET=your-bucket
|
||||||
S3_REGION=us-east-1
|
S3_REGION=us-east-1
|
||||||
S3_ACCESS_KEY_ID=your-access-key
|
S3_ACCESS_KEY_ID=your-access-key
|
||||||
|
|
@ -291,7 +291,7 @@ S3_SECRET_ACCESS_KEY=your-secret-key
|
||||||
```env
|
```env
|
||||||
API_BASE=http://host.docker.internal:8880/v1
|
API_BASE=http://host.docker.internal:8880/v1
|
||||||
BASE_URL=http://localhost:3003
|
BASE_URL=http://localhost:3003
|
||||||
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
|
AUTH_SECRET=<generate-with-openssl-rand-base64-32>
|
||||||
COMPUTE_WORKER_URL=http://localhost:8081
|
COMPUTE_WORKER_URL=http://localhost:8081
|
||||||
COMPUTE_WORKER_TOKEN=<same-token-used-by-worker>
|
COMPUTE_WORKER_TOKEN=<same-token-used-by-worker>
|
||||||
USE_EMBEDDED_WEED_MINI=false
|
USE_EMBEDDED_WEED_MINI=false
|
||||||
|
|
|
||||||
|
|
@ -36,7 +36,7 @@ S3_PREFIX=openreader
|
||||||
BASE_URL=https://your-app.vercel.app
|
BASE_URL=https://your-app.vercel.app
|
||||||
AUTH_SECRET=...
|
AUTH_SECRET=...
|
||||||
ADMIN_EMAILS=you@example.com # comma-separated; admins manage TTS + features in-app
|
ADMIN_EMAILS=you@example.com # comma-separated; admins manage TTS + features in-app
|
||||||
CRON_SECRET=... # generate with: openssl rand -hex 32
|
CRON_SECRET=... # generate with: openssl rand -base64 32
|
||||||
|
|
||||||
# Heavy compute (required on Vercel in current releases)
|
# Heavy compute (required on Vercel in current releases)
|
||||||
COMPUTE_WORKER_URL=https://<railway-worker-domain>
|
COMPUTE_WORKER_URL=https://<railway-worker-domain>
|
||||||
|
|
|
||||||
|
|
@ -43,7 +43,7 @@ docker run --name openreader \
|
||||||
-v openreader_docstore:/app/docstore \
|
-v openreader_docstore:/app/docstore \
|
||||||
-e API_BASE=http://host.docker.internal:8880/v1 \
|
-e API_BASE=http://host.docker.internal:8880/v1 \
|
||||||
-e BASE_URL=http://localhost:3003 \
|
-e BASE_URL=http://localhost:3003 \
|
||||||
-e AUTH_SECRET=$(openssl rand -hex 32) \
|
-e AUTH_SECRET=$(openssl rand -base64 32) \
|
||||||
-e ADMIN_EMAILS=you@example.com \
|
-e ADMIN_EMAILS=you@example.com \
|
||||||
ghcr.io/richardr1126/openreader:latest
|
ghcr.io/richardr1126/openreader:latest
|
||||||
```
|
```
|
||||||
|
|
@ -70,7 +70,7 @@ docker run --name openreader \
|
||||||
-v openreader_docstore:/app/docstore \
|
-v openreader_docstore:/app/docstore \
|
||||||
-e API_BASE=http://host.docker.internal:8880/v1 \
|
-e API_BASE=http://host.docker.internal:8880/v1 \
|
||||||
-e BASE_URL=http://<YOUR_LAN_IP>:3003 \
|
-e BASE_URL=http://<YOUR_LAN_IP>:3003 \
|
||||||
-e AUTH_SECRET=$(openssl rand -hex 32) \
|
-e AUTH_SECRET=$(openssl rand -base64 32) \
|
||||||
-e AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 \
|
-e AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 \
|
||||||
-e USE_ANONYMOUS_AUTH_SESSIONS=true \
|
-e USE_ANONYMOUS_AUTH_SESSIONS=true \
|
||||||
-e ADMIN_EMAILS=you@example.com \
|
-e ADMIN_EMAILS=you@example.com \
|
||||||
|
|
@ -101,7 +101,7 @@ docker run --name openreader \
|
||||||
-p 3003:3003 \
|
-p 3003:3003 \
|
||||||
-p 8333:8333 \
|
-p 8333:8333 \
|
||||||
-e BASE_URL=http://localhost:3003 \
|
-e BASE_URL=http://localhost:3003 \
|
||||||
-e AUTH_SECRET=$(openssl rand -hex 32) \
|
-e AUTH_SECRET=$(openssl rand -base64 32) \
|
||||||
ghcr.io/richardr1126/openreader:latest
|
ghcr.io/richardr1126/openreader:latest
|
||||||
```
|
```
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -111,7 +111,7 @@ Required external base URL for this OpenReader instance.
|
||||||
Required secret key used by auth/session handling.
|
Required secret key used by auth/session handling.
|
||||||
|
|
||||||
- Required at startup
|
- Required at startup
|
||||||
- Generate with `openssl rand -hex 32`
|
- Generate with `openssl rand -base64 32`
|
||||||
|
|
||||||
### AUTH_TRUSTED_ORIGINS
|
### AUTH_TRUSTED_ORIGINS
|
||||||
|
|
||||||
|
|
@ -151,7 +151,7 @@ Bearer-token secret for `GET /api/admin/tasks/tick`.
|
||||||
|
|
||||||
- Required on Vercel so scheduled maintenance tasks can run from the configured Vercel Cron.
|
- Required on Vercel so scheduled maintenance tasks can run from the configured Vercel Cron.
|
||||||
- Vercel automatically sends `Authorization: Bearer <CRON_SECRET>` on cron invocations.
|
- Vercel automatically sends `Authorization: Bearer <CRON_SECRET>` on cron invocations.
|
||||||
- Generate a strong random value, for example with `openssl rand -hex 32`.
|
- Generate a strong random value, for example with `openssl rand -base64 32`.
|
||||||
- Self-hosted Node.js deployments run the scheduler in-process and do not require this variable.
|
- Self-hosted Node.js deployments run the scheduler in-process and do not require this variable.
|
||||||
|
|
||||||
## Database and Object Blob Storage
|
## Database and Object Blob Storage
|
||||||
|
|
|
||||||
|
|
@ -332,7 +332,7 @@ export default async function LandingPage() {
|
||||||
{' '}-e BASE_URL=
|
{' '}-e BASE_URL=
|
||||||
<span className="public-term-accent">http://localhost:3003</span> \{'\n'}
|
<span className="public-term-accent">http://localhost:3003</span> \{'\n'}
|
||||||
{' '}-e AUTH_SECRET=
|
{' '}-e AUTH_SECRET=
|
||||||
<span className="public-term-accent">$(openssl rand -hex 32)</span> \{'\n'}
|
<span className="public-term-accent">$(openssl rand -base64 32)</span> \{'\n'}
|
||||||
{' '}-e ADMIN_EMAILS=
|
{' '}-e ADMIN_EMAILS=
|
||||||
<span className="public-term-accent">you@example.com</span> \{'\n'}
|
<span className="public-term-accent">you@example.com</span> \{'\n'}
|
||||||
{' '}ghcr.io/richardr1126/openreader:latest{'\n'}
|
{' '}ghcr.io/richardr1126/openreader:latest{'\n'}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue