fix(docker): replace anonymous docker volume with env variable for encrypting secrets (#1809)

packages/auth/env.mjs

@@ -64,7 +64,6 @@ export const env = createEnv({
   server: {
     AUTH_LOGOUT_REDIRECT_URL: z.string().url().optional(),
     AUTH_SESSION_EXPIRY_TIME: createDurationSchema("30d"),
-    AUTH_SECRET: process.env.NODE_ENV === "production" ? z.string().min(1) : z.string().min(1).optional(),
     AUTH_PROVIDERS: authProvidersSchema,
     ...(authProviders.includes("oidc")
       ? {
@@ -98,7 +97,6 @@ export const env = createEnv({
   runtimeEnv: {
     AUTH_LOGOUT_REDIRECT_URL: process.env.AUTH_LOGOUT_REDIRECT_URL,
     AUTH_SESSION_EXPIRY_TIME: process.env.AUTH_SESSION_EXPIRY_TIME,
-    AUTH_SECRET: process.env.AUTH_SECRET,
     AUTH_PROVIDERS: process.env.AUTH_PROVIDERS,
     AUTH_LDAP_BASE: process.env.AUTH_LDAP_BASE,
     AUTH_LDAP_BIND_DN: process.env.AUTH_LDAP_BIND_DN,

packages/common/env.mjs

@@ -0,0 +1,28 @@
+import { randomBytes } from "crypto";
+import { createEnv } from "@t3-oss/env-nextjs";
+import { z } from "zod";
+
+const errorSuffix = `, please generate a 64 character secret in hex format or use the following: "${randomBytes(32).toString("hex")}"`;
+
+export const env = createEnv({
+  server: {
+    SECRET_ENCRYPTION_KEY: z
+      .string({
+        required_error: `SECRET_ENCRYPTION_KEY is required${errorSuffix}`,
+      })
+      .min(64, {
+        message: `SECRET_ENCRYPTION_KEY has to be 64 characters${errorSuffix}`,
+      })
+      .max(64, {
+        message: `SECRET_ENCRYPTION_KEY has to be 64 characters${errorSuffix}`,
+      })
+      .regex(/^[0-9a-fA-F]{64}$/, {
+        message: `SECRET_ENCRYPTION_KEY must only contain hex characters${errorSuffix}`,
+      }),
+  },
+  runtimeEnv: {
+    SECRET_ENCRYPTION_KEY: process.env.SECRET_ENCRYPTION_KEY,
+  },
+  skipValidation:
+    Boolean(process.env.CI) || Boolean(process.env.SKIP_ENV_VALIDATION) || process.env.npm_lifecycle_event === "lint",
+});

packages/common/package.json

@@ -8,7 +8,8 @@
     ".": "./index.ts",
     "./types": "./src/types.ts",
     "./server": "./src/server.ts",
-    "./client": "./src/client.ts"
+    "./client": "./src/client.ts",
+    "./env.mjs": "./env.mjs"
   },
   "typesVersions": {
     "*": {

packages/common/src/encryption.ts

@@ -1,20 +1,12 @@
 import crypto from "crypto";
 
-import { logger } from "@homarr/log";
+import { env } from "../env.mjs";
 
 const algorithm = "aes-256-cbc"; //Using AES encryption
-const fallbackKey = "0000000000000000000000000000000000000000000000000000000000000000";
-const encryptionKey = process.env.ENCRYPTION_KEY ?? fallbackKey; // Fallback to a default key for local development
-if (encryptionKey === fallbackKey) {
-  logger.warn("Using a fallback encryption key, stored secrets are not secure");
 
-  // We never want to use the fallback key in production
-  if (process.env.NODE_ENV === "production" && process.env.CI !== "true") {
-    throw new Error("Encryption key is not set");
-  }
-}
-
-const key = Buffer.from(encryptionKey, "hex");
+// We fallback to a key of 0s if the key was not provided because env validation was skipped
+// This should only be the case in CI
+const key = Buffer.from(env.SECRET_ENCRYPTION_KEY || "0".repeat(64), "hex");
 
 export function encryptSecret(text: string): `${string}.${string}` {
   const initializationVector = crypto.randomBytes(16);