diff --git a/backend/src/main/kotlin/com/opendatamask/config/StartupSecurityValidator.kt b/backend/src/main/kotlin/com/opendatamask/config/StartupSecurityValidator.kt index e220ce5..393921a 100644 --- a/backend/src/main/kotlin/com/opendatamask/config/StartupSecurityValidator.kt +++ b/backend/src/main/kotlin/com/opendatamask/config/StartupSecurityValidator.kt @@ -11,7 +11,8 @@ private val INSECURE_JWT_DEFAULTS = setOf( ) private val INSECURE_ENCRYPTION_DEFAULTS = setOf( - "0123456789abcdef" + "0123456789abcdef", + "change-this-16-char-key-for-prod" ) @Component diff --git a/backend/src/test/kotlin/com/opendatamask/config/StartupSecurityValidatorTest.kt b/backend/src/test/kotlin/com/opendatamask/config/StartupSecurityValidatorTest.kt index 8924805..31bdf1f 100644 --- a/backend/src/test/kotlin/com/opendatamask/config/StartupSecurityValidatorTest.kt +++ b/backend/src/test/kotlin/com/opendatamask/config/StartupSecurityValidatorTest.kt @@ -48,4 +48,13 @@ class StartupSecurityValidatorTest { ) assertThrows { validator.validate() } } + + @Test + fun `validate throws when ENCRYPTION_KEY is the docker-compose fallback default`() { + val validator = createValidator( + jwtSecret = "secure-jwt-secret", + encryptionKey = "change-this-16-char-key-for-prod" + ) + assertThrows { validator.validate() } + } } diff --git a/docker-compose.yml b/docker-compose.yml index c9c773e..71ba3d0 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -27,8 +27,8 @@ services: DATABASE_URL: jdbc:postgresql://postgres:5432/opendatamask DATABASE_USERNAME: opendatamask DATABASE_PASSWORD: opendatamask - JWT_SECRET: ${JWT_SECRET:-change-this-secret-in-production-must-be-at-least-256-bits-long} - ENCRYPTION_KEY: ${ENCRYPTION_KEY:-change-this-16-char-key-for-prod} + JWT_SECRET: ${JWT_SECRET:?JWT_SECRET must be set (generate with: openssl rand -base64 32)} + ENCRYPTION_KEY: ${ENCRYPTION_KEY:?ENCRYPTION_KEY must be set (generate with: openssl rand -base64 32)} SERVER_PORT: 8080 depends_on: postgres: