This is an automated email from the ASF dual-hosted git repository.
jxue pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/helix.git
The following commit(s) were added to refs/heads/master by this push:
new aef8c0ee8 Do not start the server if user uses the default
SECRET_TOKEN env value (#2783)
aef8c0ee8 is described below
commit aef8c0ee848c5cbc4a8b3202b578b2fb01279edc
Author: Vivo <[email protected]>
AuthorDate: Thu Mar 21 13:17:03 2024 -0700
Do not start the server if user uses the default SECRET_TOKEN env value
(#2783)
* secure SECRET_TOKEN
* strict the node version to 14
* format
---
.github/workflows/helix-front.yml | 10 +++++-----
helix-front/package.json | 4 ++++
helix-front/server/app.ts | 16 ++++++++++++++--
3 files changed, 23 insertions(+), 7 deletions(-)
diff --git a/.github/workflows/helix-front.yml
b/.github/workflows/helix-front.yml
index 961aa0a4a..9b67dc33e 100644
--- a/.github/workflows/helix-front.yml
+++ b/.github/workflows/helix-front.yml
@@ -1,9 +1,9 @@
name: Helix Front CI
on:
pull_request:
- branches: [ master ]
+ branches: [master]
paths:
- - 'helix-front/**'
+ - "helix-front/**"
jobs:
CI:
@@ -16,9 +16,9 @@ jobs:
- name: Setup Node environment
uses: actions/setup-node@v3
with:
- node-version: '16.x'
- cache: 'yarn'
- cache-dependency-path: 'helix-front/yarn.lock'
+ node-version: "14.x"
+ cache: "yarn"
+ cache-dependency-path: "helix-front/yarn.lock"
- name: Install dependencies
run: yarn
diff --git a/helix-front/package.json b/helix-front/package.json
index e151010ae..b7256f6be 100644
--- a/helix-front/package.json
+++ b/helix-front/package.json
@@ -164,5 +164,9 @@
"typescript": "4.6.4",
"util": "^0.12.4",
"webpack": "5"
+ },
+ "engines": {
+ "npm": ">=6.0.0 <7.0.0",
+ "node": ">=14.0.0 <15.0.0"
}
}
diff --git a/helix-front/server/app.ts b/helix-front/server/app.ts
index 3560ed010..f34688711 100644
--- a/helix-front/server/app.ts
+++ b/helix-front/server/app.ts
@@ -18,6 +18,7 @@ import {
} from './config';
import setRoutes from './routes';
+const isProd = process.env.NODE_ENV === 'production';
const httpsProxyAgent = PROXY_URL ? new ProxyAgent(PROXY_URL) : null;
if (APP_INSIGHTS_CONNECTION_STRING) {
@@ -35,7 +36,7 @@ if (APP_INSIGHTS_CONNECTION_STRING) {
.start();
}
-if (httpsProxyAgent && process.env.NODE_ENV === 'production') {
+if (httpsProxyAgent && isProd) {
// NOTES:
//
// - `defaultClient` property on `appInsights` doesn't exist
@@ -52,13 +53,24 @@ const server = http.createServer(app);
dotenv.load({ path: '.env' });
app.set('port', process.env.PORT || 4200);
+const secretToken = process.env.SECRET_TOKEN;
+if (!secretToken || secretToken === 'promiseyouwillchangeit') {
+ if (isProd) {
+ throw new Error('Please change your SECRET_TOKEN env');
+ } else {
+ console.warn(
+ 'Remember to change your SECRET_TOKEN env before deploying to PROD'
+ );
+ }
+}
+
app.use('/', express.static(path.join(__dirname, '../public')));
app.use(bodyParser.json());
app.use(bodyParser.urlencoded({ extended: true }));
app.use(
session({
store: SESSION_STORE,
- secret: process.env.SECRET_TOKEN,
+ secret: secretToken,
resave: true,
saveUninitialized: true,
cookie: { expires: new Date(2147483647000) },
