Derive cookie secret using bitcoind's rpc credentials

This ensures a unique, hard-to-guess cookie secret for every instance. Also, renamed from "cookiePassword" to "cookieSecret" to better express its meaning.
6 years ago · 37c962e30e
4 changed files with 10 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -53,7 +53,7 @@ BTCEXP_BITCOIND_PORT = 8332
 BTCEXP_BITCOIND_USER = username
 BTCEXP_BITCOIND_PASS = password
 BTCEXP_IPSTACK_KEY = 0000aaaafffffgggggg
-BTCEXP_COOKIEPASSWORD = 0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
+BTCEXP_COOKIE_SECRET = 0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
 ```

 ## Run via Docker
--- a/app.js
+++ b/app.js
@ -53,7 +53,7 @@ app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: false }));
 app.use(cookieParser());
 app.use(session({
-	secret: config.cookiePassword,
+	secret: config.cookieSecret,
 	resave: false,
 	saveUninitialized: false
 }));
--- a/app/config.js
+++ b/app/config.js
@ -1,4 +1,5 @@
 var fs = require('fs');
+var crypto = require('crypto');
 var coins = require("./coins.js");

 var currentCoin = process.env.BTCEXP_COIN || "BTC";
@ -15,8 +16,13 @@ if (rpcCred.cookie && !rpcCred.username && !rpcCred.password && fs.existsSync(rp
  if (!rpcCred.password) throw new Error('Cookie file '+rpcCred.cookie+' in unexpected format');
 }

+var cookieSecret = process.env.BTCEXP_COOKIE_SECRET
+ || (rpcCred.password && crypto.createHmac('sha256', JSON.stringify(rpcCred))
+                               .update('btc-rpc-explorer-cookie-secret').digest('hex'))
+ || "0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f";
+
 module.exports = {
-	cookiePassword: process.env.BTCEXP_COOKIE_PASSWORD || "0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f",
+	cookieSecret: cookieSecret,
 	demoSite: !!process.env.BTCEXP_DEMO,
 	coin: currentCoin,

--- a/bin/cli.js
+++ b/bin/cli.js
@ -14,7 +14,7 @@ const args = require('meow')(`
      -u, --bitcoind-user <user>   username for bitcoind rpc [default: none]
      -w, --bitcoind-pass <pass>   password for bitcoind rpc [default: none]

-      --cookie-password <secret>   secret key for signed cookie hmac generation
+      --cookie-secret <secret>     secret key for signed cookie hmac generation [default: hmac derive from bitcoind pass]
      --demo                       enable demoSite mode [default: disabled]

      --ipstack-key <key>          api access key for ipstack (for geoip) [default: disabled]