Merge branch 'feat/security'

9 files changed, 36 insertions, 11 deletions

diff --git a/.env.example b/.env.example
new file mode 100644
index 0000000..f8186e1
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,2 @@
+ALBATROSS_JWT_SECRET=[your_secret_key]
+ALBATROSS_COOKIE_SECRET=[your_secret_key]
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..f10862a
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+/.env
diff --git a/backend/auth/jwt.go b/backend/auth/jwt.go
index 510656b..13af837 100644
--- a/backend/auth/jwt.go
+++ b/backend/auth/jwt.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"errors"
+	"os"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -9,6 +10,17 @@ import (
 	"github.com/nsfisis/iosdc-japan-2024-albatross/backend/db"
 )
 
+var (
+	jwtSecret []byte
+)
+
+func init() {
+	jwtSecret = []byte(os.Getenv("ALBATROSS_JWT_SECRET"))
+	if len(jwtSecret) == 0 {
+		panic("ALBATROSS_JWT_SECRET is not set")
+	}
+}
+
 type JWTClaims struct {
 	UserID      int     `json:"user_id"`
 	Username    string  `json:"username"`
@@ -30,7 +42,7 @@ func NewJWT(user *db.User) (string, error) {
 		},
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString([]byte("TODO"))
+	return token.SignedString(jwtSecret)
 }
 
 func NewAnonymousJWT() (string, error) {
@@ -38,7 +50,7 @@ func NewAnonymousJWT() (string, error) {
 		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 5)),
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString([]byte("TODO"))
+	return token.SignedString(jwtSecret)
 }
 
 func NewShortLivedJWT(claims *JWTClaims) (string, error) {
@@ -53,13 +65,13 @@ func NewShortLivedJWT(claims *JWTClaims) (string, error) {
 		},
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, newClaims)
-	return token.SignedString([]byte("TODO"))
+	return token.SignedString(jwtSecret)
 }
 
 func ParseJWT(token string) (*JWTClaims, error) {
 	claims := new(JWTClaims)
 	t, err := jwt.ParseWithClaims(token, claims, func(*jwt.Token) (interface{}, error) {
-		return []byte("TODO"), nil
+		return jwtSecret, nil
 	})
 	if err != nil {
 		return nil, err
diff --git a/backend/main.go b/backend/main.go
index c01394b..3296957 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -89,10 +89,10 @@ func main() {
 
 	// For local dev: This is never used in production because the reverse
 	// proxy sends /login and /logout to the app server.
-	e.GET("/login", func(c echo.Context) error {
+	e.GET("/iosdc-japan/2024/code-battle/login", func(c echo.Context) error {
 		return c.Redirect(http.StatusPermanentRedirect, "http://localhost:5173/iosdc-japan/2024/code-battle/login")
 	})
-	e.POST("/logout", func(c echo.Context) error {
+	e.POST("/iosdc-japan/2024/code-battle/logout", func(c echo.Context) error {
 		return c.Redirect(http.StatusPermanentRedirect, "http://localhost:5173/iosdc-japan/2024/code-battle/logout")
 	})
 
diff --git a/compose.local.yaml b/compose.local.yaml
index 883d640..cfcb41e 100644
--- a/compose.local.yaml
+++ b/compose.local.yaml
@@ -15,6 +15,7 @@ services:
       ALBATROSS_DB_USER: postgres
       ALBATROSS_DB_PASSWORD: eepei5reesoo0ov2ceelahd4Emi0au8ahJa6oochohheiquahweihoovahsee1oo
       ALBATROSS_DB_NAME: albatross
+    env_file: [.env]
     restart: always
 
   db:
@@ -50,6 +51,7 @@ services:
       context: ./worker
     expose:
       - 80
+    env_file: [.env]
     restart: always
 
   tools:
diff --git a/compose.prod.yaml b/compose.prod.yaml
index c4e1b40..07ff19e 100644
--- a/compose.prod.yaml
+++ b/compose.prod.yaml
@@ -26,6 +26,7 @@ services:
       ALBATROSS_DB_USER: postgres
       ALBATROSS_DB_PASSWORD: eepei5reesoo0ov2ceelahd4Emi0au8ahJa6oochohheiquahweihoovahsee1oo
       ALBATROSS_DB_NAME: albatross
+    env_file: [.env]
     restart: always
 
   app-server:
@@ -35,6 +36,7 @@ services:
         ALBATROSS_HOST: localhost
     expose:
       - 80
+    env_file: [.env]
     restart: always
 
   db:
@@ -70,6 +72,7 @@ services:
       context: ./worker
     expose:
       - 80
+    env_file: [.env]
     restart: always
 
 volumes:
diff --git a/frontend/app/.server/session.ts b/frontend/app/.server/session.ts
index 102bcd2..4730305 100644
--- a/frontend/app/.server/session.ts
+++ b/frontend/app/.server/session.ts
@@ -4,9 +4,8 @@ export const cookieOptions = {
 	sameSite: "lax" as const,
 	path: "/",
 	httpOnly: true,
-	// secure: process.env.NODE_ENV === "production",
-	secure: false, // TODO
-	secrets: ["TODO"],
+	secure: process.env.NODE_ENV === "production",
+	secrets: [process.env.ALBATROSS_COOKIE_SECRET ?? "local"],
 };
 
 export const sessionStorage = createCookieSessionStorage({
diff --git a/frontend/app/root.tsx b/frontend/app/root.tsx
index 57f1a10..054474a 100644
--- a/frontend/app/root.tsx
+++ b/frontend/app/root.tsx
@@ -9,7 +9,7 @@ import {
 import "./tailwind.css";
 
 export const links: LinksFunction = () => [
-	{ rel: "icon", href: "/favicon.svg" },
+	{ rel: "icon", href: "/iosdc-japan/2024/code-battle/favicon.svg" },
 ];
 
 export function Layout({ children }: { children: React.ReactNode }) {
diff --git a/worker/main.go b/worker/main.go
index 8134a56..ac65305 100644
--- a/worker/main.go
+++ b/worker/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"log"
 	"net/http"
+	"os"
 
 	echojwt "github.com/labstack/echo-jwt/v4"
 	"github.com/labstack/echo/v4"
@@ -10,6 +11,11 @@ import (
 )
 
 func main() {
+	jwtSecret := os.Getenv("ALBATROSS_JWT_SECRET")
+	if jwtSecret == "" {
+		log.Fatal("ALBATROSS_JWT_SECRET is not set")
+	}
+
 	if err := prepareDirectories(); err != nil {
 		log.Fatal(err)
 	}
@@ -20,7 +26,7 @@ func main() {
 	e.Use(middleware.Recover())
 
 	e.Use(echojwt.WithConfig(echojwt.Config{
-		SigningKey: []byte("TODO"),
+		SigningKey: []byte(jwtSecret),
 	}))
 
 	e.POST("/api/swiftc", handleSwiftCompile)