diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cc24903..ffb41b9 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -26,3 +26,5 @@ jobs: JWT_SECRET: "ci-placeholder-jwt-secret-min-32-chars" DATABASE_URL: "postgresql://placeholder:placeholder@localhost:5432/placeholder" DIRECT_URL: "postgresql://placeholder:placeholder@localhost:5432/placeholder" + ADMIN_USERNAME: "ci-admin" + ADMIN_PASSWORD: "ci-admin-password" diff --git a/.gitignore b/.gitignore index 5edb8ed..07d0d06 100644 --- a/.gitignore +++ b/.gitignore @@ -13,3 +13,4 @@ backups/ persuasion-data/runs/ __pycache__/ *.pyc +.jules/ diff --git a/packages/web/.env.example b/packages/web/.env.example index e99d51e..d1037ab 100644 --- a/packages/web/.env.example +++ b/packages/web/.env.example @@ -4,3 +4,5 @@ AUTH_SECRET=replace-with-min-32-char-random-string DATABASE_URL="postgresql://postgres.[project]:[password]@aws-0-ap-northeast-1.pooler.supabase.com:6543/postgres?pgbouncer=true" DIRECT_URL="postgresql://postgres.[project]:[password]@db.uwxfseowdzuuepeeudrx.supabase.co:5432/postgres" JWT_SECRET="replace-with-32-char-minimum-random-string" +ADMIN_USERNAME="admin" +ADMIN_PASSWORD="replace-with-secure-admin-password" diff --git a/packages/web/src/lib/server/admin-auth.ts b/packages/web/src/lib/server/admin-auth.ts index 5390fa4..9ea5e84 100644 --- a/packages/web/src/lib/server/admin-auth.ts +++ b/packages/web/src/lib/server/admin-auth.ts @@ -6,18 +6,29 @@ import { NextRequest, NextResponse } from 'next/server' import { env } from './env' -export const ADMIN_USERNAME = 'admin' -export const ADMIN_PASSWORD = 'og9oRajx7h88v1RIj3eDgdrh9jgLYVV3' +export const ADMIN_USERNAME = env.ADMIN_USERNAME +export const ADMIN_PASSWORD = env.ADMIN_PASSWORD const ADMIN_SESSION_COOKIE = 'argos_admin_session' const ADMIN_SESSION_TTL_MS = 12 * 60 * 60 * 1000 const ADMIN_IMPERSONATION_TTL_MS = 60 * 1000 const ADMIN_IMPERSONATION_PREFIX = 'argos_imp' +const MAX_SAFE_EQUAL_BYTES = 512 function safeEqual(a: string, b: string): boolean { - const aHash = createHmac('sha256', env.JWT_SECRET).update(a).digest() - const bHash = createHmac('sha256', env.JWT_SECRET).update(b).digest() - return timingSafeEqual(aHash, bHash) + const aBytes = Buffer.from(a) + const bBytes = Buffer.from(b) + + if (aBytes.length > MAX_SAFE_EQUAL_BYTES || bBytes.length > MAX_SAFE_EQUAL_BYTES) { + return false + } + + const aPadded = Buffer.alloc(MAX_SAFE_EQUAL_BYTES) + const bPadded = Buffer.alloc(MAX_SAFE_EQUAL_BYTES) + aBytes.copy(aPadded) + bBytes.copy(bPadded) + + return timingSafeEqual(aPadded, bPadded) && aBytes.length === bBytes.length } function sign(payload: string): string { diff --git a/packages/web/src/lib/server/env.ts b/packages/web/src/lib/server/env.ts index 86ed9a3..8fa75c7 100644 --- a/packages/web/src/lib/server/env.ts +++ b/packages/web/src/lib/server/env.ts @@ -5,6 +5,10 @@ const EnvSchema = z.object({ DATABASE_URL: z.string().min(1), DIRECT_URL: z.string().min(1), JWT_SECRET: z.string().min(32), + ADMIN_USERNAME: z.string().min(1).max(128).refine((value) => !value.includes('.'), { + message: 'ADMIN_USERNAME must not contain "."', + }), + ADMIN_PASSWORD: z.string().min(16).max(512), }) export const env = EnvSchema.parse(process.env)