From 3781585862f8c6fd613bc2fe48634aeba53a163d Mon Sep 17 00:00:00 2001
From: Miguel Serrano <mserranom@users.noreply.github.com>
Date: Tue, 28 Jan 2020 07:16:23 +0100
Subject: [PATCH] Set CRYPTO_RANDOM as environment variable at startup time
 (#134)

---
 Dockerfile                                  |  2 --
 init_scripts/00_regen_sharelatex_secrets.sh | 22 ++++++++++++++++-----
 settings.coffee                             |  4 ++--
 3 files changed, 19 insertions(+), 9 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index db3c98a793..48c14a26ff 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -84,8 +84,6 @@ RUN cd /var/www && ./git-revision.sh > revisions.txt
 # Set Environment Variables
 # --------------------------------
 ENV WEB_API_USER "sharelatex"
-# password is regenerated in init_scripts/00_regen_sharelatex_secrets.sh
-ENV WEB_API_PASSWORD "password"
 
 ENV SHARELATEX_APP_NAME "Overleaf Community Edition"
 
diff --git a/init_scripts/00_regen_sharelatex_secrets.sh b/init_scripts/00_regen_sharelatex_secrets.sh
index 80fd293260..695ca66f78 100755
--- a/init_scripts/00_regen_sharelatex_secrets.sh
+++ b/init_scripts/00_regen_sharelatex_secrets.sh
@@ -1,7 +1,19 @@
 #!/bin/sh
-# Create random secret keys (twice, once for http auth pass, once for cookie secret).
-CRYPTO_RANDOM=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev | tr -d '\n+/')
-sed -i "0,/CRYPTO_RANDOM/s/CRYPTO_RANDOM/$CRYPTO_RANDOM/" /etc/sharelatex/settings.coffee
 
-CRYPTO_RANDOM=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev | tr -d '\n+/')
-sed -i "0,/CRYPTO_RANDOM/s/CRYPTO_RANDOM/$CRYPTO_RANDOM/" /etc/sharelatex/settings.coffee
+# generate secrets and defines them as environment variables
+# https://github.com/phusion/baseimage-docker#centrally-defining-your-own-environment-variables
+
+WEB_API_PASSWORD_FILE=/etc/container_environment/WEB_API_PASSWORD
+CRYPTO_RANDOM_FILE=/etc/container_environment/CRYPTO_RANDOM
+
+if [ ! -f "$WEB_API_PASSWORD_FILE" ] || [ ! -f "$CRYPTO_RANDOM_FILE" ]; then
+
+    echo "generating random secrets"
+
+    SECRET=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev | tr -d '\n+/')
+    echo ${SECRET} > ${WEB_API_PASSWORD_FILE}
+
+    SECRET=$(dd if=/dev/urandom bs=1 count=32 2>/dev/null | base64 -w 0 | rev | cut -b 2- | rev | tr -d '\n+/')
+    echo ${SECRET} > ${CRYPTO_RANDOM_FILE}
+fi
+
diff --git a/settings.coffee b/settings.coffee
index 922fb32c04..32e2b3ba81 100644
--- a/settings.coffee
+++ b/settings.coffee
@@ -3,7 +3,7 @@ Path = require('path')
 # These credentials are used for authenticating api requests
 # between services that may need to go over public channels
 httpAuthUser = "sharelatex"
-httpAuthPass = "CRYPTO_RANDOM" # Randomly generated for you
+httpAuthPass = process.env["WEB_API_PASSWORD"]
 httpAuthUsers = {}
 httpAuthUsers[httpAuthUser] = httpAuthPass
 
@@ -162,7 +162,7 @@ settings =
 	# If provided, a sessionSecret is used to sign cookies so that they cannot be
 	# spoofed. This is recommended.
 	security:
-		sessionSecret: process.env["SHARELATEX_SESSION_SECRET"] or "CRYPTO_RANDOM" # This was randomly generated for you
+		sessionSecret: process.env["SHARELATEX_SESSION_SECRET"] or process.env["CRYPTO_RANDOM"]
 
 	# These credentials are used for authenticating api requests
 	# between services that may need to go over public channels