docs(security): update secret key generation instructions to use base64 encoding

Replace all references to `openssl rand -hex 32` with `openssl rand -base64 32`
in environment variable examples and documentation. This change standardizes
the recommended method for generating strong random secrets, improving
compatibility and clarity for users configuring authentication and cron secrets.
This commit is contained in:
Richard R 2026-06-07 14:07:45 -06:00
parent e670c38523
commit 0f6f9cc407
6 changed files with 12 additions and 12 deletions

View file

@ -18,7 +18,7 @@ API_KEY=
# Auth configuration (required in v4+)
BASE_URL=http://localhost:3003 # Externally facing URL for this app (set to LAN IP for access from other devices on the network)
AUTH_SECRET=some_random_secret_key # Generate with `openssl rand -hex 32`
AUTH_SECRET=some_random_secret_key # Generate with `openssl rand -base64 32`
AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 # Additional trusted origins (BASE_URL is always trusted)
# (Optional) Allow anonymous auth sessions (default: `false`)
# USE_ANONYMOUS_AUTH_SESSIONS=false

View file

@ -250,7 +250,7 @@ Use one of these `.env` mode templates:
```env
API_BASE=http://host.docker.internal:8880/v1
BASE_URL=http://localhost:3003
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
AUTH_SECRET=<generate-with-openssl-rand-base64-32>
# Optional when you need multiple local origins:
# AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003
```
@ -263,7 +263,7 @@ AUTH_SECRET=<generate-with-openssl-rand-hex-32>
# on first boot, then no longer read. Manage them in Settings → Admin afterwards.
API_BASE=http://host.docker.internal:8880/v1
BASE_URL=http://localhost:3003
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
AUTH_SECRET=<generate-with-openssl-rand-base64-32>
# Comma-separated emails to auto-promote to admin on signin.
ADMIN_EMAILS=you@example.com
```
@ -275,7 +275,7 @@ ADMIN_EMAILS=you@example.com
API_BASE=http://host.docker.internal:8880/v1
USE_EMBEDDED_WEED_MINI=false
BASE_URL=http://localhost:3003
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
AUTH_SECRET=<generate-with-openssl-rand-base64-32>
S3_BUCKET=your-bucket
S3_REGION=us-east-1
S3_ACCESS_KEY_ID=your-access-key
@ -291,7 +291,7 @@ S3_SECRET_ACCESS_KEY=your-secret-key
```env
API_BASE=http://host.docker.internal:8880/v1
BASE_URL=http://localhost:3003
AUTH_SECRET=<generate-with-openssl-rand-hex-32>
AUTH_SECRET=<generate-with-openssl-rand-base64-32>
COMPUTE_WORKER_URL=http://localhost:8081
COMPUTE_WORKER_TOKEN=<same-token-used-by-worker>
USE_EMBEDDED_WEED_MINI=false

View file

@ -36,7 +36,7 @@ S3_PREFIX=openreader
BASE_URL=https://your-app.vercel.app
AUTH_SECRET=...
ADMIN_EMAILS=you@example.com # comma-separated; admins manage TTS + features in-app
CRON_SECRET=... # generate with: openssl rand -hex 32
CRON_SECRET=... # generate with: openssl rand -base64 32
# Heavy compute (required on Vercel in current releases)
COMPUTE_WORKER_URL=https://<railway-worker-domain>

View file

@ -43,7 +43,7 @@ docker run --name openreader \
-v openreader_docstore:/app/docstore \
-e API_BASE=http://host.docker.internal:8880/v1 \
-e BASE_URL=http://localhost:3003 \
-e AUTH_SECRET=$(openssl rand -hex 32) \
-e AUTH_SECRET=$(openssl rand -base64 32) \
-e ADMIN_EMAILS=you@example.com \
ghcr.io/richardr1126/openreader:latest
```
@ -70,7 +70,7 @@ docker run --name openreader \
-v openreader_docstore:/app/docstore \
-e API_BASE=http://host.docker.internal:8880/v1 \
-e BASE_URL=http://<YOUR_LAN_IP>:3003 \
-e AUTH_SECRET=$(openssl rand -hex 32) \
-e AUTH_SECRET=$(openssl rand -base64 32) \
-e AUTH_TRUSTED_ORIGINS=http://localhost:3003,http://127.0.0.1:3003 \
-e USE_ANONYMOUS_AUTH_SESSIONS=true \
-e ADMIN_EMAILS=you@example.com \
@ -101,7 +101,7 @@ docker run --name openreader \
-p 3003:3003 \
-p 8333:8333 \
-e BASE_URL=http://localhost:3003 \
-e AUTH_SECRET=$(openssl rand -hex 32) \
-e AUTH_SECRET=$(openssl rand -base64 32) \
ghcr.io/richardr1126/openreader:latest
```

View file

@ -111,7 +111,7 @@ Required external base URL for this OpenReader instance.
Required secret key used by auth/session handling.
- Required at startup
- Generate with `openssl rand -hex 32`
- Generate with `openssl rand -base64 32`
### AUTH_TRUSTED_ORIGINS
@ -151,7 +151,7 @@ Bearer-token secret for `GET /api/admin/tasks/tick`.
- Required on Vercel so scheduled maintenance tasks can run from the configured Vercel Cron.
- Vercel automatically sends `Authorization: Bearer <CRON_SECRET>` on cron invocations.
- Generate a strong random value, for example with `openssl rand -hex 32`.
- Generate a strong random value, for example with `openssl rand -base64 32`.
- Self-hosted Node.js deployments run the scheduler in-process and do not require this variable.
## Database and Object Blob Storage

View file

@ -332,7 +332,7 @@ export default async function LandingPage() {
{' '}-e BASE_URL=
<span className="public-term-accent">http://localhost:3003</span> \{'\n'}
{' '}-e AUTH_SECRET=
<span className="public-term-accent">$(openssl rand -hex 32)</span> \{'\n'}
<span className="public-term-accent">$(openssl rand -base64 32)</span> \{'\n'}
{' '}-e ADMIN_EMAILS=
<span className="public-term-accent">you@example.com</span> \{'\n'}
{' '}ghcr.io/richardr1126/openreader:latest{'\n'}