From 37c962e30e51bde9ae0795aaeef5c34d7f96707b Mon Sep 17 00:00:00 2001
From: Nadav Ivgi <nadav@shesek.info>
Date: Tue, 5 Feb 2019 11:44:56 +0200
Subject: [PATCH] Derive cookie secret using bitcoind's rpc credentials

This ensures a unique, hard-to-guess cookie secret for every instance.

Also, renamed from "cookiePassword" to "cookieSecret" to better express
its meaning.
---
 README.md     | 2 +-
 app.js        | 2 +-
 app/config.js | 8 +++++++-
 bin/cli.js    | 2 +-
 4 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/README.md b/README.md
index ef501e9..a6cbffc 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,7 @@ BTCEXP_BITCOIND_PORT = 8332
 BTCEXP_BITCOIND_USER = username
 BTCEXP_BITCOIND_PASS = password
 BTCEXP_IPSTACK_KEY = 0000aaaafffffgggggg
-BTCEXP_COOKIEPASSWORD = 0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
+BTCEXP_COOKIE_SECRET = 0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f
 ```
 
 ## Run via Docker
diff --git a/app.js b/app.js
index fa1a3f5..90f638d 100755
--- a/app.js
+++ b/app.js
@@ -53,7 +53,7 @@ app.use(bodyParser.json());
 app.use(bodyParser.urlencoded({ extended: false }));
 app.use(cookieParser());
 app.use(session({
-	secret: config.cookiePassword,
+	secret: config.cookieSecret,
 	resave: false,
 	saveUninitialized: false
 }));
diff --git a/app/config.js b/app/config.js
index 9f8f62f..229755b 100644
--- a/app/config.js
+++ b/app/config.js
@@ -1,4 +1,5 @@
 var fs = require('fs');
+var crypto = require('crypto');
 var coins = require("./coins.js");
 
 var currentCoin = process.env.BTCEXP_COIN || "BTC";
@@ -15,8 +16,13 @@ if (rpcCred.cookie && !rpcCred.username && !rpcCred.password && fs.existsSync(rp
   if (!rpcCred.password) throw new Error('Cookie file '+rpcCred.cookie+' in unexpected format');
 }
 
+var cookieSecret = process.env.BTCEXP_COOKIE_SECRET
+ || (rpcCred.password && crypto.createHmac('sha256', JSON.stringify(rpcCred))
+                               .update('btc-rpc-explorer-cookie-secret').digest('hex'))
+ || "0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f";
+
 module.exports = {
-	cookiePassword: process.env.BTCEXP_COOKIE_PASSWORD || "0x000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f",
+	cookieSecret: cookieSecret,
 	demoSite: !!process.env.BTCEXP_DEMO,
 	coin: currentCoin,
 
diff --git a/bin/cli.js b/bin/cli.js
index 22edb0e..64141f5 100755
--- a/bin/cli.js
+++ b/bin/cli.js
@@ -14,7 +14,7 @@ const args = require('meow')(`
       -u, --bitcoind-user <user>   username for bitcoind rpc [default: none]
       -w, --bitcoind-pass <pass>   password for bitcoind rpc [default: none]
 
-      --cookie-password <secret>   secret key for signed cookie hmac generation
+      --cookie-secret <secret>     secret key for signed cookie hmac generation [default: hmac derive from bitcoind pass]
       --demo                       enable demoSite mode [default: disabled]
 
       --ipstack-key <key>          api access key for ipstack (for geoip) [default: disabled]