Allow to overwrite the auth secret key with env var

.env.local

@@ -1,7 +1,7 @@
 DATABASE_URL=sqlite://storage/database/data.db?mode=rwc
 TORRUST_INDEX_CONFIG=
+TORRUST_INDEX_AUTH_SECRET_KEY=MaxVerstappenWC2021
 USER_ID=1000
 TORRUST_TRACKER_CONFIG=
 TORRUST_TRACKER_DATABASE_DRIVER=sqlite3
 TORRUST_TRACKER_API_ADMIN_TOKEN=MyAccessToken
-

README.md

@@ -93,13 +93,16 @@ _Optionally, you may choose to supply the entire configuration as an environment
 TORRUST_INDEX_CONFIG=$(cat "./storage/index/etc/index.toml") cargo run
 ```
 
-_For deployment, you __should__ override the `tracker_api_token` by using an environmental variable:_
+_For deployment, you __should__ override:
+
+- The `tracker_api_token` and the `index_auth_secret_key` by using environmental variables:_
 
 ```sh
 # Please use the secret that you generated for the torrust-tracker configuration.
 # Override secret in configuration using an environmental variable
 TORRUST_INDEX_CONFIG=$(cat "./storage/index/etc/index.toml") \
   TORRUST_INDEX_TRACKER_API_TOKEN=$(cat "./storage/tracker/lib/tracker_api_admin_token.secret") \
+  TORRUST_INDEX_AUTH_SECRET_KEY="MaxVerstappenWC2021" \
   cargo run
 ```
 

compose.yaml

@@ -13,6 +13,7 @@ services:
       - TORRUST_INDEX_DATABASE=${TORRUST_INDEX_DATABASE:-e2e_testing_sqlite3}
       - TORRUST_INDEX_DATABASE_DRIVER=${TORRUST_INDEX_DATABASE_DRIVER:-sqlite3}
       - TORRUST_INDEX_TRACKER_API_TOKEN=${TORRUST_INDEX_TRACKER_API_TOKEN:-MyAccessToken}
+      - TORRUST_INDEX_AUTH_SECRET_KEY=${TORRUST_INDEX_AUTH_SECRET_KEY:-MaxVerstappenWC2021}
     networks:
       - server_side
     ports:

contrib/dev-tools/container/e2e/sqlite/e2e-env-up.sh

@@ -8,6 +8,7 @@ USER_ID=${USER_ID:-1000} \
     TORRUST_INDEX_DATABASE="e2e_testing_sqlite3" \
     TORRUST_INDEX_DATABASE_DRIVER="sqlite3" \
     TORRUST_INDEX_TRACKER_API_TOKEN="MyAccessToken" \
+    TORRUST_INDEX_AUTH_SECRET_KEY="MaxVerstappenWC2021" \
     TORRUST_TRACKER_CONFIG=$(cat ./share/default/config/tracker.e2e.container.sqlite3.toml) \
     TORRUST_TRACKER_DATABASE="e2e_testing_sqlite3" \
     TORRUST_TRACKER_DATABASE_DRIVER="sqlite3" \

docs/containers.md

@@ -1,10 +1,10 @@
 # Containers (Docker or Podman)
 
 ## Demo environment
+
 It is simple to setup the index with the default
 configuration and run it using the pre-built public docker image:
 
-
 With Docker:
 
 ```sh
@@ -17,11 +17,12 @@ or with Podman:
 podman run -it torrust/index:latest
 ```
 
-
 ## Requirements
+
 - Tested with recent versions of Docker or Podman.
 
 ## Volumes
+
 The [Containerfile](../Containerfile) (i.e. the Dockerfile) Defines Three Volumes:
 
 ```Dockerfile
@@ -38,19 +39,22 @@ When instancing the container image with the `docker run` or `podman run` comman
 
 > NOTE: You can adjust this mapping for your preference, however this mapping is the default in our guides and scripts.
 
-### Pre-Create Host-Mapped Folders:
+### Pre-Create Host-Mapped Folders
+
 Please run this command where you wish to run the container:
 
 ```sh
 mkdir -p ./storage/index/lib/ ./storage/index/log/ ./storage/index/etc/
 ```
 
 ### Matching Ownership ID's of Host Storage and Container Volumes
+
 It is important that the `torrust` user has the same uid `$(id -u)` as the host mapped folders. In our [entry script](../share/container/entry_script_sh), installed to `/usr/local/bin/entry.sh` inside the container, switches to the `torrust` user created based upon the `USER_UID` environmental variable.
 
 When running the container, you may use the `--env USER_ID="$(id -u)"` argument that gets the current user-id and passes to the container.
 
 ### Mapped Tree Structure
+
 Using the standard mapping defined above produces this following mapped tree:
 
 ```s
@@ -78,6 +82,7 @@ git clone https://github.com/torrust/torrust-index.git; cd torrust-index
 ```
 
 ### (Docker) Setup Context
+
 Before starting, if you are using docker, it is helpful to reset the context to the default:
 
 ```sh
@@ -107,6 +112,7 @@ podman build --target debug --tag torrust-index:debug --file Containerfile .
 ## Running the Container
 
 ### Basic Run
+
 No arguments are needed for simply checking the container image works:
 
 #### (Docker) Run Basic
@@ -118,6 +124,7 @@ docker run -it torrust-index:release
 # Debug Mode
 docker run -it torrust-index:debug
 ```
+
 #### (Podman) Run Basic
 
 ```sh
@@ -129,24 +136,27 @@ podman run -it torrust-index:debug
 ```
 
 ### Arguments
+
 The arguments need to be placed before the image tag. i.e.
 
 `run [arguments] torrust-index:release`
 
 #### Environmental Variables:
+
 Environmental variables are loaded through the `--env`, in the format `--env VAR="value"`.
 
 The following environmental variables can be set:
 
 - `TORRUST_INDEX_PATH_CONFIG` - The in-container path to the index configuration file, (default: `"/etc/torrust/index/index.toml"`).
 - `TORRUST_INDEX_TRACKER_API_TOKEN` - Override of the admin token. If set, this value overrides any value set in the config.
+- `TORRUST_INDEX_AUTH_SECRET_KEY` - Override of the auth secret key. If set, this value overrides any value set in the config.
 - `TORRUST_INDEX_DATABASE_DRIVER` - The database type used for the container, (options: `sqlite3`, `mysql`, default `sqlite3`). Please Note: This dose not override the database configuration within the `.toml` config file.
 - `TORRUST_INDEX_CONFIG` - Load config from this environmental variable instead from a file, (i.e: `TORRUST_INDEX_CONFIG=$(cat index-index.toml)`).
 - `USER_ID` - The user id for the runtime crated `torrust` user. Please Note: This user id should match the ownership of the host-mapped volumes, (default `1000`).
 - `API_PORT` - The port for the index API. This should match the port used in the configuration, (default `3001`).
 
-
 ### Sockets
+
 Socket ports used internally within the container can be mapped to with the `--publish` argument.
 
 The format is: `--publish [optional_host_ip]:[host_port]:[container_port]/[optional_protocol]`, for example: `--publish 127.0.0.1:8080:80/tcp`.
@@ -159,8 +169,9 @@ The default ports can be mapped with the following:
 
 > NOTE: Inside the container it is necessary to expose a socket with the wildcard address `0.0.0.0` so that it may be accessible from the host. Verify that the configuration that the sockets are wildcard.
 
-### Volumes
-By default the container will use install volumes for `/var/lib/torrust/index`, `/var/log/torrust/index`, and `/etc/torrust/index`, however for better administration it good to make these volumes host-mapped.
+### Mapped Volumes
+
+By default the container will install volumes for `/var/lib/torrust/index`, `/var/log/torrust/index`, and `/etc/torrust/index`, however for better administration it good to make these volumes host-mapped.
 
 The argument to host-map volumes is `--volume`, with the format: `--volume=[host-src:]container-dest[:<options>]`.
 
@@ -172,10 +183,9 @@ The default mapping can be supplied with the following arguments:
 --volume ./storage/index/etc:/etc/torrust/index:Z \
 ```
 
-
 Please not the `:Z` at the end of the podman `--volume` mapping arguments, this is to give read-write permission on SELinux enabled systemd, if this doesn't work on your system, you can use `:rw` instead.
 
-## Complete Example:
+## Complete Example
 
 ### With Docker
 
@@ -192,6 +202,7 @@ mkdir -p ./storage/index/lib/ ./storage/index/log/ ./storage/index/etc/
 ## Run Torrust Index Container Image
 docker run -it \
     --env TORRUST_INDEX_TRACKER_API_TOKEN="MySecretToken" \
+    --env TORRUST_INDEX_AUTH_SECRET_KEY="MaxVerstappenWC2021" \
     --env USER_ID="$(id -u)" \
     --publish 0.0.0.0:3001:3001/tcp \
     --volume ./storage/index/lib:/var/lib/torrust/index:Z \

share/default/config/index.container.mysql.toml

@@ -1,12 +1,12 @@
+# Please override the following settings with environmental variable!
+# tracker::token   -> `TORRUST_INDEX_TRACKER_API_TOKEN`
+# auth::secret_key -> `TORRUST_INDEX_AUTH_SECRET_KEY`
+
 log_level = "info"
 
 [website]
 name = "Torrust"
 
-# Please override the tracker token setting the
-#    `TORRUST_INDEX_TRACKER_API_TOKEN`
-#                     environmental variable!
-
 [tracker]
 url = "udp://tracker:6969"
 mode = "Public"

share/default/config/index.e2e.container.mysql.toml

@@ -1,12 +1,12 @@
+# Please override the following settings with environmental variable!
+# tracker::token   -> `TORRUST_INDEX_TRACKER_API_TOKEN`
+# auth::secret_key -> `TORRUST_INDEX_AUTH_SECRET_KEY`
+
 log_level = "info"
 
 [website]
 name = "Torrust"
 
-# Please override the tracker token setting the
-#    `TORRUST_INDEX_TRACKER_API_TOKEN`
-#                     environmental variable!
-
 [tracker]
 url = "udp://tracker:6969"
 mode = "Public"

share/default/config/index.e2e.container.sqlite3.toml

@@ -1,12 +1,12 @@
+# Please override the following settings with environmental variable!
+# tracker::token   -> `TORRUST_INDEX_TRACKER_API_TOKEN`
+# auth::secret_key -> `TORRUST_INDEX_AUTH_SECRET_KEY`
+
 log_level = "info"
 
 [website]
 name = "Torrust"
 
-# Please override the tracker token setting the
-#    `TORRUST_INDEX_TRACKER_API_TOKEN`
-#                     environmental variable!
-
 [tracker]
 url = "udp://tracker:6969"
 mode = "Public"

src/bootstrap/config.rs

@@ -13,6 +13,9 @@ const ENV_VAR_CONFIG: &str = "TORRUST_INDEX_CONFIG";
 /// Token needed to communicate with the Torrust Tracker
 const ENV_VAR_API_ADMIN_TOKEN: &str = "TORRUST_INDEX_TRACKER_API_TOKEN";
 
+/// Secret key used to encrypt and decrypt
+const ENV_VAR_AUTH_SECRET_KEY: &str = "TORRUST_INDEX_AUTH_SECRET_KEY";
+
 /// The `index.toml` file location.
 pub const ENV_VAR_PATH_CONFIG: &str = "TORRUST_INDEX_PATH_CONFIG";
 
@@ -44,6 +47,7 @@ pub fn initialize_configuration() -> Configuration {
         ENV_VAR_PATH_CONFIG.to_string(),
         DEFAULT_PATH_CONFIG.to_string(),
         ENV_VAR_API_ADMIN_TOKEN.to_string(),
+        ENV_VAR_AUTH_SECRET_KEY.to_string(),
     )
     .unwrap();
 

src/config.rs

@@ -15,6 +15,7 @@ use torrust_index_located_error::{Located, LocatedError};
 pub struct Info {
     index_toml: String,
     tracker_api_token: Option<String>,
+    auth_secret_key: Option<String>,
 }
 
 impl Info {
@@ -24,8 +25,8 @@ impl Info {
     ///
     /// ```no_run
     /// # use torrust_index::config::Info;
-    /// # let (env_var_config, env_var_path_config, default_path_config, env_var_tracker_api_token) = ("".to_string(), "".to_string(), "".to_string(), "".to_string());
-    /// let result = Info::new(env_var_config, env_var_path_config, default_path_config, env_var_tracker_api_token);
+    /// # let (env_var_config, env_var_path_config, default_path_config, env_var_tracker_api_token, env_var_auth_secret_key) = ("".to_string(), "".to_string(), "".to_string(), "".to_string(), "".to_string());
+    /// let result = Info::new(env_var_config, env_var_path_config, default_path_config, env_var_tracker_api_token, env_var_auth_secret_key);
     /// ```
     ///
     /// # Errors
@@ -38,6 +39,7 @@ impl Info {
         env_var_path_config: String,
         default_path_config: String,
         env_var_tracker_api_token: String,
+        env_var_auth_secret_key: String,
     ) -> Result<Self, Error> {
         let index_toml = if let Ok(index_toml) = env::var(&env_var_config) {
             println!("Loading configuration from env var {env_var_config} ...");
@@ -61,11 +63,14 @@ impl Info {
                 .parse()
                 .map_err(|_e: std::convert::Infallible| Error::Infallible)?
         };
+
         let tracker_api_token = env::var(env_var_tracker_api_token).ok();
+        let auth_secret_key = env::var(env_var_auth_secret_key).ok();
 
         Ok(Self {
             index_toml,
             tracker_api_token,
+            auth_secret_key,
         })
     }
 }
@@ -239,6 +244,12 @@ impl Default for Auth {
     }
 }
 
+impl Auth {
+    fn override_secret_key(&mut self, secret_key: &str) {
+        self.secret_key = secret_key.to_string();
+    }
+}
+
 /// Database configuration.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Database {
@@ -390,6 +401,10 @@ impl TorrustIndex {
         self.tracker.override_tracker_api_token(tracker_api_token);
     }
 
+    fn override_auth_secret_key(&mut self, auth_secret_key: &str) {
+        self.auth.override_secret_key(auth_secret_key);
+    }
+
     pub fn remove_secrets(&mut self) {
         self.tracker.token = "***".to_owned();
         self.database.connect_url = "***".to_owned();
@@ -457,7 +472,10 @@ impl Configuration {
     /// Loads the configuration from the `Info` struct. The whole
     /// configuration in toml format is included in the `info.index_toml` string.
     ///
-    /// Optionally will override the tracker api token.
+    /// Optionally will override the:
+    ///
+    /// - Tracker api token.
+    /// - The auth secret key.
     ///
     /// # Errors
     ///
@@ -472,6 +490,10 @@ impl Configuration {
             index_config.override_tracker_api_token(token);
         };
 
+        if let Some(ref secret_key) = info.auth_secret_key {
+            index_config.override_auth_secret_key(secret_key);
+        };
+
         Ok(Configuration {
             settings: RwLock::new(index_config),
             config_path: None,

tests/e2e/config.rs

@@ -14,6 +14,9 @@ const ENV_VAR_CONFIG: &str = "TORRUST_INDEX_E2E_CONFIG";
 /// Token needed to communicate with the Torrust Tracker
 const ENV_VAR_API_ADMIN_TOKEN: &str = "TORRUST_INDEX_E2E_TRACKER_API_TOKEN";
 
+/// Secret key used to encrypt and decrypt
+const ENV_VAR_AUTH_SECRET_KEY: &str = "TORRUST_INDEX_E2E_AUTH_SECRET_KEY";
+
 /// The `index.toml` file location.
 pub const ENV_VAR_PATH_CONFIG: &str = "TORRUST_INDEX_E2E_PATH_CONFIG";
 
@@ -48,6 +51,7 @@ pub fn initialize_configuration() -> Configuration {
         ENV_VAR_PATH_CONFIG.to_string(),
         DEFAULT_PATH_CONFIG.to_string(),
         ENV_VAR_API_ADMIN_TOKEN.to_string(),
+        ENV_VAR_AUTH_SECRET_KEY.to_string(),
     )
     .unwrap();