adminbruno
/
docuseal
mirror of https://github.com/docusealco/docuseal
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

add ENCRYPTION_SECRET (#34)

Browse Source 
Currently, old AccessTokens break on a new deploy, because we don't have a set encryption key, so a new one is generated for each deploy.
pull/544/head
Ryan Arakawa 1 month ago committed by GitHub
parent 587438b7f9
commit 30cd83ea89
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 110 additions and 55 deletions
Show Stats Download Patch File Download Diff File

14
bin/start_console_production
Unescape View File

@ -168,6 +168,7 @@ fetch_env_variables() {
export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key') export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key')
export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name') export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name')
export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode') export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode')
export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty')
# Validate that we got the values # Validate that we got the values
@ -177,6 +178,12 @@ fetch_env_variables() {
exit 1 exit 1
fi fi
# Warn if encryption secret is missing (important for ActiveRecord encryption)
if [ -z "$ENCRYPTION_SECRET" ]; then
echo "WARNING: ENCRYPTION_SECRET not found in secrets"
echo "WARNING: ActiveRecord encryption may not work correctly"
fi
# Write variables to .env.production file # Write variables to .env.production file
echo "Writing environment variables to .env.production..." echo "Writing environment variables to .env.production..."
@ -191,6 +198,7 @@ fetch_env_variables() {
grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.production.tmp > ./.env.production || true grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.production.tmp > ./.env.production || true
grep -v "^NEWRELIC_APP_NAME=" ./.env.production.tmp > ./.env.production || true grep -v "^NEWRELIC_APP_NAME=" ./.env.production.tmp > ./.env.production || true
grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.production.tmp > ./.env.production || true grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.production.tmp > ./.env.production || true
grep -v "^ENCRYPTION_SECRET=" ./.env.production.tmp > ./.env.production || true
rm -f ./.env.production.tmp rm -f ./.env.production.tmp
fi fi
@ -204,6 +212,12 @@ fetch_env_variables() {
echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.production echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.production
echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.production echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.production
# Add encryption secret if it exists
if [ -n "$ENCRYPTION_SECRET" ]; then
echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.production
echo "✓ ENCRYPTION_SECRET written to .env.production"
fi
echo "✓ Environment variables successfully retrieved and written to .env.production" echo "✓ Environment variables successfully retrieved and written to .env.production"
} }

15
bin/start_console_staging
Unescape View File

@ -168,7 +168,7 @@ fetch_env_variables() {
export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key') export NEWRELIC_LICENSE_KEY=$(echo "$SECRET_JSON" | jq -r '.newrelic_license_key')
export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name') export NEWRELIC_APP_NAME=$(echo "$SECRET_JSON" | jq -r '.newrelic_app_name')
export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode') export NEWRELIC_MONITOR_MODE=$(echo "$SECRET_JSON" | jq -r '.newrelic_monitor_mode')
export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty')
# Validate that we got the values # Validate that we got the values
if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then
@ -177,6 +177,12 @@ fetch_env_variables() {
exit 1 exit 1
fi fi
# Warn if encryption secret is missing (important for ActiveRecord encryption)
if [ -z "$ENCRYPTION_SECRET" ]; then
echo "WARNING: ENCRYPTION_SECRET not found in secrets"
echo "WARNING: ActiveRecord encryption may not work correctly"
fi
# Write variables to .env.staging file # Write variables to .env.staging file
echo "Writing environment variables to .env.staging..." echo "Writing environment variables to .env.staging..."
@ -191,6 +197,7 @@ fetch_env_variables() {
grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.staging.tmp > ./.env.staging || true grep -v "^NEWRELIC_LICENSE_KEY=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^NEWRELIC_APP_NAME=" ./.env.staging.tmp > ./.env.staging || true grep -v "^NEWRELIC_APP_NAME=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.staging.tmp > ./.env.staging || true grep -v "^NEWRELIC_MONITOR_MODE=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^ENCRYPTION_SECRET=" ./.env.staging.tmp > ./.env.staging || true
rm -f ./.env.staging.tmp rm -f ./.env.staging.tmp
fi fi
@ -204,6 +211,12 @@ fetch_env_variables() {
echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.staging echo "NEWRELIC_APP_NAME=$NEWRELIC_APP_NAME" >> ./.env.staging
echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.staging echo "NEWRELIC_MONITOR_MODE=$NEWRELIC_MONITOR_MODE" >> ./.env.staging
# Add encryption secret if it exists
if [ -n "$ENCRYPTION_SECRET" ]; then
echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.staging
echo "✓ ENCRYPTION_SECRET written to .env.staging"
fi
echo "✓ Environment variables successfully retrieved and written to .env.staging" echo "✓ Environment variables successfully retrieved and written to .env.staging"
} }

14
bin/start_production
Unescape View File

@ -169,6 +169,7 @@ fetch_env_variables() {
export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret') export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret')
export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket') export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket')
export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region') export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region')
export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty')
# Validate that we got the values # Validate that we got the values
if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then if [ "$DB_HOST" = "null" ] || [ "$REDIS_URL" = "null" ] || [ "$S3_ATTACHMENTS_BUCKET" = "null" ] || [ -z "$DB_HOST" ] || [ -z "$REDIS_URL" ] || [ -z "$S3_ATTACHMENTS_BUCKET" ]; then
@ -183,6 +184,12 @@ fetch_env_variables() {
exit 1 exit 1
fi fi
# Warn if encryption secret is missing (important for ActiveRecord encryption)
if [ -z "$ENCRYPTION_SECRET" ]; then
echo "WARNING: ENCRYPTION_SECRET not found in secrets"
echo "WARNING: ActiveRecord encryption may not work correctly"
fi
# Write variables to .env.production file # Write variables to .env.production file
echo "Writing environment variables to .env.production..." echo "Writing environment variables to .env.production..."
@ -202,6 +209,7 @@ fetch_env_variables() {
grep -v "^CF_KEY_SECRET=" ./.env.production.tmp > ./.env.production || true grep -v "^CF_KEY_SECRET=" ./.env.production.tmp > ./.env.production || true
grep -v "^SECURED_STORAGE_BUCKET=" ./.env.production.tmp > ./.env.production || true grep -v "^SECURED_STORAGE_BUCKET=" ./.env.production.tmp > ./.env.production || true
grep -v "^SECURED_STORAGE_REGION=" ./.env.production.tmp > ./.env.production || true grep -v "^SECURED_STORAGE_REGION=" ./.env.production.tmp > ./.env.production || true
grep -v "^ENCRYPTION_SECRET=" ./.env.production.tmp > ./.env.production || true
rm -f ./.env.production.tmp rm -f ./.env.production.tmp
fi fi
@ -220,6 +228,12 @@ fetch_env_variables() {
echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.production echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.production
echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.production echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.production
# Add encryption secret if it exists
if [ -n "$ENCRYPTION_SECRET" ]; then
echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.production
echo "✓ ENCRYPTION_SECRET written to .env.production"
fi
echo "✓ Environment variables successfully retrieved and written to .env.production" echo "✓ Environment variables successfully retrieved and written to .env.production"
} }

14
bin/start_staging
Unescape View File

@ -173,6 +173,7 @@ fetch_env_variables() {
export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret') export CF_KEY_SECRET=$(echo "$SECRET_JSON" | jq -r '.cf_key_secret')
export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket') export SECURED_STORAGE_BUCKET=$(echo "$SECRET_JSON" | jq -r '.secured_storage_bucket')
export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region') export SECURED_STORAGE_REGION=$(echo "$SECRET_JSON" | jq -r '.secured_storage_region')
export ENCRYPTION_SECRET=$(echo "$SECRET_JSON" | jq -r '.ENCRYPTION_SECRET // empty')
# Validate that we got the values # Validate that we got the values
@ -188,6 +189,12 @@ fetch_env_variables() {
exit 1 exit 1
fi fi
# Warn if encryption secret is missing (important for ActiveRecord encryption)
if [ -z "$ENCRYPTION_SECRET" ]; then
echo "WARNING: ENCRYPTION_SECRET not found in secrets"
echo "WARNING: ActiveRecord encryption may not work correctly"
fi
# Write variables to .env.staging file # Write variables to .env.staging file
echo "Writing environment variables to .env.staging..." echo "Writing environment variables to .env.staging..."
@ -207,6 +214,7 @@ fetch_env_variables() {
grep -v "^CF_KEY_SECRET=" ./.env.staging.tmp > ./.env.staging || true grep -v "^CF_KEY_SECRET=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^SECURED_STORAGE_BUCKET=" ./.env.staging.tmp > ./.env.staging || true grep -v "^SECURED_STORAGE_BUCKET=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^SECURED_STORAGE_REGION=" ./.env.staging.tmp > ./.env.staging || true grep -v "^SECURED_STORAGE_REGION=" ./.env.staging.tmp > ./.env.staging || true
grep -v "^ENCRYPTION_SECRET=" ./.env.staging.tmp > ./.env.staging || true
rm -f ./.env.staging.tmp rm -f ./.env.staging.tmp
fi fi
@ -225,6 +233,12 @@ fetch_env_variables() {
echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.staging echo "SECURED_STORAGE_BUCKET=$SECURED_STORAGE_BUCKET" >> ./.env.staging
echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.staging echo "SECURED_STORAGE_REGION=$SECURED_STORAGE_REGION" >> ./.env.staging
# Add encryption secret if it exists
if [ -n "$ENCRYPTION_SECRET" ]; then
echo "ENCRYPTION_SECRET=$ENCRYPTION_SECRET" >> ./.env.staging
echo "✓ ENCRYPTION_SECRET written to .env.staging"
fi
echo "✓ Environment variables successfully retrieved and written to .env.staging" echo "✓ Environment variables successfully retrieved and written to .env.staging"
} }

Write Preview
Loading…
Cancel
Save