fix(magic env) HEX secrets creating double the length of their name (#9820)

2026-05-11 10:56:23 +02:00 · 2026-05-11 10:56:23 +02:00 · 61b124b434
commit 61b124b434
parent 8044045f13 7c5dc8bae1
7 changed files with 42 additions and 14 deletions
--- a/bootstrap/helpers/shared.php
+++ b/bootstrap/helpers/shared.php
@ -1400,23 +1400,23 @@ function generateEnvValue(string $command, Service|Application|null $service = n
            break;
            // This is base64,
        case 'REALBASE64_64':
-            $generatedValue = base64_encode(Str::random(64));
+            $generatedValue = base64_encode(random_bytes(64));
            break;
        case 'REALBASE64_128':
-            $generatedValue = base64_encode(Str::random(128));
+            $generatedValue = base64_encode(random_bytes(128));
            break;
        case 'REALBASE64':
        case 'REALBASE64_32':
-            $generatedValue = base64_encode(Str::random(32));
+            $generatedValue = base64_encode(random_bytes(32));
            break;
        case 'HEX_32':
-            $generatedValue = bin2hex(Str::random(32));
+            $generatedValue = bin2hex(random_bytes(16));
            break;
        case 'HEX_64':
-            $generatedValue = bin2hex(Str::random(64));
+            $generatedValue = bin2hex(random_bytes(32));
            break;
        case 'HEX_128':
-            $generatedValue = bin2hex(Str::random(128));
+            $generatedValue = bin2hex(random_bytes(64));
            break;
        case 'USER':
            $generatedValue = Str::random(16);
--- a/templates/compose/bluesky-pds.yaml
+++ b/templates/compose/bluesky-pds.yaml
@ -13,10 +13,10 @@ services:
    environment:
      - SERVICE_URL_PDS_3000
      - 'PDS_HOSTNAME=${SERVICE_FQDN_PDS}'
-      - 'PDS_JWT_SECRET=${SERVICE_HEX_32_JWTSECRET}'
+      - 'PDS_JWT_SECRET=${SERVICE_HEX_64_JWTSECRET}'
      - 'PDS_ADMIN_PASSWORD=${SERVICE_PASSWORD_ADMIN}'
      - 'PDS_ADMIN_EMAIL=${PDS_ADMIN_EMAIL}'
-      - 'PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=${SERVICE_HEX_32_ROTATIONKEY}'
+      - 'PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=${SERVICE_HEX_64_ROTATIONKEY}'
      - 'PDS_DATA_DIRECTORY=${PDS_DATA_DIRECTORY:-/pds}'
      - 'PDS_BLOBSTORE_DISK_LOCATION=${PDS_DATA_DIRECTORY:-/pds}/blocks'
      - 'PDS_BLOB_UPLOAD_LIMIT=${PDS_BLOB_UPLOAD_LIMIT:-104857600}'
--- a/templates/compose/convex.yaml
+++ b/templates/compose/convex.yaml
@ -13,7 +13,7 @@ services:
    environment:
      - SERVICE_URL_BACKEND_3210
      - INSTANCE_NAME=${INSTANCE_NAME:-self-hosted-convex}
-      - INSTANCE_SECRET=${SERVICE_HEX_32_SECRET}
+      - INSTANCE_SECRET=${SERVICE_HEX_64_SECRET}
      - CONVEX_RELEASE_VERSION_DEV=${CONVEX_RELEASE_VERSION_DEV:-}
      - ACTIONS_USER_TIMEOUT_SECS=${ACTIONS_USER_TIMEOUT_SECS:-}
      # URL of the Convex API as accessed by the client/frontend.
--- a/templates/compose/getoutline.yaml
+++ b/templates/compose/getoutline.yaml
@ -18,7 +18,7 @@ services:
    environment:
      - SERVICE_URL_OUTLINE_3000
      - NODE_ENV=production
-      - SECRET_KEY=${SERVICE_HEX_32_OUTLINE}
+      - SECRET_KEY=${SERVICE_HEX_64_OUTLINE}
      - UTILS_SECRET=${SERVICE_PASSWORD_64_OUTLINE}
      - DATABASE_URL=postgres://${SERVICE_USER_POSTGRES}:${SERVICE_PASSWORD_64_POSTGRES}@postgres:5432/${POSTGRES_DATABASE:-outline}
      - REDIS_URL=redis://:${SERVICE_PASSWORD_64_REDIS}@redis:6379
--- a/templates/compose/homarr.yaml
+++ b/templates/compose/homarr.yaml
@ -10,8 +10,7 @@ services:
    image: ghcr.io/homarr-labs/homarr:v1.40.0
    environment:
      - SERVICE_URL_HOMARR_7575
-      - SERVICE_HEX_32_HOMARR
-      - 'SECRET_ENCRYPTION_KEY=${SERVICE_HEX_32_HOMARR}'
+      - 'SECRET_ENCRYPTION_KEY=${SERVICE_HEX_64_HOMARR}'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./homarr/appdata:/appdata
--- a/templates/compose/open-archiver.yaml
+++ b/templates/compose/open-archiver.yaml
@ -10,8 +10,8 @@ services:
    image: logiclabshq/open-archiver:latest
    environment:
      - SERVICE_URL_OPENARCHIVER_3000
-      - ENCRYPTION_KEY=${SERVICE_HEX_32_ENCRYPTIONKEY}
-      - STORAGE_ENCRYPTION_KEY=${SERVICE_HEX_32_STORAGEENCRYPTIONKEY}
+      - ENCRYPTION_KEY=${SERVICE_HEX_64_ENCRYPTIONKEY}
+      - STORAGE_ENCRYPTION_KEY=${SERVICE_HEX_64_STORAGEENCRYPTIONKEY}
      - PORT_BACKEND=${PORT_BACKEND:-4000}
      - PORT_FRONTEND=${PORT_FRONTEND:-3000}
      - NODE_ENV=${NODE_ENV:-production}
--- a/tests/Unit/GenerateEnvValueTest.php
+++ b/tests/Unit/GenerateEnvValueTest.php
@ -0,0 +1,29 @@
+<?php
+
+test('hex magic variables generate valid hex strings with expected lengths', function (string $command, int $expectedLength) {
+    $value = generateEnvValue($command);
+
+    expect($value)
+        ->toBeString()
+        ->toMatch('/^[0-9a-f]+$/');
+
+    expect(strlen($value))->toBe($expectedLength);
+})->with([
+    'HEX_32' => ['HEX_32', 32],
+    'HEX_64' => ['HEX_64', 64],
+    'HEX_128' => ['HEX_128', 128],
+]);
+
+test('real base64 magic variables generate valid base64 strings from expected byte lengths', function (string $command, int $expectedBytes) {
+    $value = generateEnvValue($command);
+    $decodedValue = base64_decode($value, true);
+
+    expect($value)->toBeString();
+    expect($decodedValue)->not->toBeFalse();
+    expect(strlen($decodedValue))->toBe($expectedBytes);
+})->with([
+    'REALBASE64' => ['REALBASE64', 32],
+    'REALBASE64_32' => ['REALBASE64_32', 32],
+    'REALBASE64_64' => ['REALBASE64_64', 64],
+    'REALBASE64_128' => ['REALBASE64_128', 128],
+]);