fixed
This commit is contained in:
@@ -1,5 +1,6 @@
|
|||||||
DATABASE_PATH=/data/inven.sqlite
|
DATABASE_PATH=/data/inven.sqlite
|
||||||
APP_NAME=Inven
|
APP_NAME=Inven
|
||||||
AUTH_SECRET=change-me-to-a-long-random-secret
|
AUTH_SECRET=change-me-to-a-long-random-secret
|
||||||
|
AUTH_SECURE_COOKIES=false
|
||||||
ADMIN_EMAIL=admin@example.com
|
ADMIN_EMAIL=admin@example.com
|
||||||
ADMIN_PASSWORD=change-me-now
|
ADMIN_PASSWORD=change-me-now
|
||||||
|
|||||||
@@ -64,6 +64,7 @@ Suggested Unraid mapping:
|
|||||||
- Container port: `3000`
|
- Container port: `3000`
|
||||||
- Environment variable: `DATABASE_PATH=/data/inven.sqlite`
|
- Environment variable: `DATABASE_PATH=/data/inven.sqlite`
|
||||||
- Environment variable: `AUTH_SECRET=<long random secret>`
|
- Environment variable: `AUTH_SECRET=<long random secret>`
|
||||||
|
- Environment variable: `AUTH_SECURE_COOKIES=false` for plain HTTP on a LAN, `true` only behind HTTPS
|
||||||
- Environment variable: `ADMIN_EMAIL=<admin email>`
|
- Environment variable: `ADMIN_EMAIL=<admin email>`
|
||||||
- Environment variable: `ADMIN_PASSWORD=<initial admin password>`
|
- Environment variable: `ADMIN_PASSWORD=<initial admin password>`
|
||||||
|
|
||||||
|
|||||||
@@ -17,6 +17,8 @@ If a change would alter how the container is built, started, configured, mapped,
|
|||||||
Recommended: `/data/inven.sqlite`
|
Recommended: `/data/inven.sqlite`
|
||||||
- `AUTH_SECRET`
|
- `AUTH_SECRET`
|
||||||
Use a long random string. This signs login sessions.
|
Use a long random string. This signs login sessions.
|
||||||
|
- `AUTH_SECURE_COOKIES`
|
||||||
|
Set to `false` for normal `http://` access on your LAN. Set to `true` only when the app is served over HTTPS.
|
||||||
- `ADMIN_EMAIL`
|
- `ADMIN_EMAIL`
|
||||||
Initial bootstrap admin email.
|
Initial bootstrap admin email.
|
||||||
- `ADMIN_PASSWORD`
|
- `ADMIN_PASSWORD`
|
||||||
@@ -27,6 +29,7 @@ Important:
|
|||||||
- The bootstrap admin is created only when the database has no users yet.
|
- The bootstrap admin is created only when the database has no users yet.
|
||||||
- Changing `ADMIN_EMAIL` or `ADMIN_PASSWORD` after first boot does not replace an existing user automatically.
|
- Changing `ADMIN_EMAIL` or `ADMIN_PASSWORD` after first boot does not replace an existing user automatically.
|
||||||
- Keep `AUTH_SECRET` stable after deployment. Rotating it will invalidate active sessions.
|
- Keep `AUTH_SECRET` stable after deployment. Rotating it will invalidate active sessions.
|
||||||
|
- If you access the app over plain HTTP and `AUTH_SECURE_COOKIES=true`, login will appear to work but the browser will not stay signed in.
|
||||||
|
|
||||||
## CLI Build And Run
|
## CLI Build And Run
|
||||||
|
|
||||||
@@ -62,6 +65,7 @@ docker run -d \
|
|||||||
-v /mnt/user/appdata/inven/data:/data \
|
-v /mnt/user/appdata/inven/data:/data \
|
||||||
-e DATABASE_PATH=/data/inven.sqlite \
|
-e DATABASE_PATH=/data/inven.sqlite \
|
||||||
-e AUTH_SECRET='replace-with-a-long-random-secret' \
|
-e AUTH_SECRET='replace-with-a-long-random-secret' \
|
||||||
|
-e AUTH_SECURE_COOKIES='false' \
|
||||||
-e ADMIN_EMAIL='admin@example.com' \
|
-e ADMIN_EMAIL='admin@example.com' \
|
||||||
-e ADMIN_PASSWORD='replace-with-a-strong-password' \
|
-e ADMIN_PASSWORD='replace-with-a-strong-password' \
|
||||||
--restart unless-stopped \
|
--restart unless-stopped \
|
||||||
@@ -126,6 +130,8 @@ Add these variables:
|
|||||||
Value: `/data/inven.sqlite`
|
Value: `/data/inven.sqlite`
|
||||||
- `AUTH_SECRET`
|
- `AUTH_SECRET`
|
||||||
Value: a long random secret
|
Value: a long random secret
|
||||||
|
- `AUTH_SECURE_COOKIES`
|
||||||
|
Value: `false` for standard LAN HTTP access
|
||||||
- `ADMIN_EMAIL`
|
- `ADMIN_EMAIL`
|
||||||
Value: your initial admin email
|
Value: your initial admin email
|
||||||
- `ADMIN_PASSWORD`
|
- `ADMIN_PASSWORD`
|
||||||
@@ -159,6 +165,7 @@ When app changes do require install changes:
|
|||||||
- Confirm `ADMIN_EMAIL` and `ADMIN_PASSWORD` were present on first boot
|
- Confirm `ADMIN_EMAIL` and `ADMIN_PASSWORD` were present on first boot
|
||||||
- If the database already existed before auth was configured, the bootstrap user may not have been created
|
- If the database already existed before auth was configured, the bootstrap user may not have been created
|
||||||
- Confirm `AUTH_SECRET` is set and stable
|
- Confirm `AUTH_SECRET` is set and stable
|
||||||
|
- Confirm `AUTH_SECURE_COOKIES=false` if you are not serving the app over HTTPS
|
||||||
|
|
||||||
### Sessions keep getting invalidated
|
### Sessions keep getting invalidated
|
||||||
|
|
||||||
|
|||||||
@@ -17,6 +17,10 @@ function getAuthSecret() {
|
|||||||
return process.env.AUTH_SECRET || "dev-insecure-auth-secret";
|
return process.env.AUTH_SECRET || "dev-insecure-auth-secret";
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function useSecureCookies() {
|
||||||
|
return process.env.AUTH_SECURE_COOKIES === "true";
|
||||||
|
}
|
||||||
|
|
||||||
function hashPassword(password: string) {
|
function hashPassword(password: string) {
|
||||||
const salt = crypto.randomBytes(16).toString("hex");
|
const salt = crypto.randomBytes(16).toString("hex");
|
||||||
const hash = crypto.scryptSync(password, salt, 64).toString("hex");
|
const hash = crypto.scryptSync(password, salt, 64).toString("hex");
|
||||||
@@ -105,7 +109,7 @@ export async function createSession(user: { id: number; email: string; role: str
|
|||||||
cookieStore.set(SESSION_COOKIE, encodeSession(payload), {
|
cookieStore.set(SESSION_COOKIE, encodeSession(payload), {
|
||||||
httpOnly: true,
|
httpOnly: true,
|
||||||
sameSite: "lax",
|
sameSite: "lax",
|
||||||
secure: process.env.NODE_ENV === "production",
|
secure: useSecureCookies(),
|
||||||
path: "/",
|
path: "/",
|
||||||
maxAge: SESSION_TTL_SECONDS
|
maxAge: SESSION_TTL_SECONDS
|
||||||
});
|
});
|
||||||
|
|||||||
Reference in New Issue
Block a user