init bootstrap
This commit is contained in:
Fran Jurmanović
176
scripts/generate-secrets.ps1
Normal file
176
scripts/generate-secrets.ps1
Normal file
@@ -0,0 +1,176 @@
|
||||
# Bootstrap App - Secret Generation Script
|
||||
# This script generates cryptographically secure secrets for the Bootstrap App
|
||||
|
||||
Write-Host "Bootstrap App - Secret Generation Script" -ForegroundColor Green
|
||||
Write-Host "=========================================" -ForegroundColor Green
|
||||
Write-Host ""
|
||||
|
||||
# Function to generate random bytes and convert to hex
|
||||
function Generate-HexString {
|
||||
param([int]$Length)
|
||||
$bytes = New-Object byte[] $Length
|
||||
$rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::new()
|
||||
$rng.GetBytes($bytes)
|
||||
$rng.Dispose()
|
||||
return [System.BitConverter]::ToString($bytes) -replace '-', ''
|
||||
}
|
||||
|
||||
# Function to generate random bytes and convert to base64
|
||||
function Generate-Base64String {
|
||||
param([int]$Length)
|
||||
$bytes = New-Object byte[] $Length
|
||||
$rng = [System.Security.Cryptography.RNGCryptoServiceProvider]::new()
|
||||
$rng.GetBytes($bytes)
|
||||
$rng.Dispose()
|
||||
return [System.Convert]::ToBase64String($bytes)
|
||||
}
|
||||
|
||||
# Generate secrets
|
||||
Write-Host "Generating cryptographically secure secrets..." -ForegroundColor Yellow
|
||||
Write-Host ""
|
||||
|
||||
$jwtSecret = Generate-Base64String -Length 64
|
||||
$appSecret = Generate-HexString -Length 32
|
||||
$appSecretCode = Generate-HexString -Length 32
|
||||
$encryptionKey = Generate-HexString -Length 16
|
||||
|
||||
# Display generated secrets
|
||||
Write-Host "Generated Secrets:" -ForegroundColor Cyan
|
||||
Write-Host "==================" -ForegroundColor Cyan
|
||||
Write-Host ""
|
||||
Write-Host "JWT_SECRET=" -NoNewline -ForegroundColor White
|
||||
Write-Host $jwtSecret -ForegroundColor Yellow
|
||||
Write-Host ""
|
||||
Write-Host "APP_SECRET=" -NoNewline -ForegroundColor White
|
||||
Write-Host $appSecret -ForegroundColor Yellow
|
||||
Write-Host ""
|
||||
Write-Host "APP_SECRET_CODE=" -NoNewline -ForegroundColor White
|
||||
Write-Host $appSecretCode -ForegroundColor Yellow
|
||||
Write-Host ""
|
||||
Write-Host "ENCRYPTION_KEY=" -NoNewline -ForegroundColor White
|
||||
Write-Host $encryptionKey -ForegroundColor Yellow
|
||||
Write-Host ""
|
||||
|
||||
# Check if .env file exists
|
||||
$envFile = ".env"
|
||||
$envExists = Test-Path $envFile
|
||||
|
||||
if ($envExists) {
|
||||
Write-Host "Warning: .env file already exists!" -ForegroundColor Red
|
||||
$overwrite = Read-Host "Do you want to update it with new secrets? (y/N)"
|
||||
if ($overwrite -eq "y" -or $overwrite -eq "Y") {
|
||||
$updateFile = $true
|
||||
} else {
|
||||
$updateFile = $false
|
||||
Write-Host "Secrets generated but not written to file." -ForegroundColor Yellow
|
||||
}
|
||||
} else {
|
||||
$createFile = Read-Host "Create .env file with these secrets? (Y/n)"
|
||||
if ($createFile -eq "" -or $createFile -eq "y" -or $createFile -eq "Y") {
|
||||
$updateFile = $true
|
||||
} else {
|
||||
$updateFile = $false
|
||||
Write-Host "Secrets generated but not written to file." -ForegroundColor Yellow
|
||||
}
|
||||
}
|
||||
|
||||
if ($updateFile) {
|
||||
# Create or update .env file
|
||||
if ($envExists) {
|
||||
# Backup existing file
|
||||
$backupFile = ".env.backup." + (Get-Date -Format "yyyyMMdd-HHmmss")
|
||||
Copy-Item $envFile $backupFile
|
||||
Write-Host "Backed up existing .env to $backupFile" -ForegroundColor Green
|
||||
|
||||
# Read existing content and update secrets
|
||||
$content = Get-Content $envFile
|
||||
$newContent = @()
|
||||
|
||||
foreach ($line in $content) {
|
||||
if ($line -match "^JWT_SECRET=") {
|
||||
$newContent += "JWT_SECRET=$jwtSecret"
|
||||
} elseif ($line -match "^APP_SECRET=") {
|
||||
$newContent += "APP_SECRET=$appSecret"
|
||||
} elseif ($line -match "^APP_SECRET_CODE=") {
|
||||
$newContent += "APP_SECRET_CODE=$appSecretCode"
|
||||
} elseif ($line -match "^ENCRYPTION_KEY=") {
|
||||
$newContent += "ENCRYPTION_KEY=$encryptionKey"
|
||||
} else {
|
||||
$newContent += $line
|
||||
}
|
||||
}
|
||||
|
||||
$newContent | Out-File -FilePath $envFile -Encoding UTF8
|
||||
Write-Host "Updated .env file with new secrets" -ForegroundColor Green
|
||||
} else {
|
||||
# Create new .env file from template
|
||||
if (Test-Path ".env.example") {
|
||||
$template = Get-Content ".env.example"
|
||||
$newContent = @()
|
||||
|
||||
foreach ($line in $template) {
|
||||
if ($line -match "^JWT_SECRET=") {
|
||||
$newContent += "JWT_SECRET=$jwtSecret"
|
||||
} elseif ($line -match "^APP_SECRET=") {
|
||||
$newContent += "APP_SECRET=$appSecret"
|
||||
} elseif ($line -match "^APP_SECRET_CODE=") {
|
||||
$newContent += "APP_SECRET_CODE=$appSecretCode"
|
||||
} elseif ($line -match "^ENCRYPTION_KEY=") {
|
||||
$newContent += "ENCRYPTION_KEY=$encryptionKey"
|
||||
} else {
|
||||
$newContent += $line
|
||||
}
|
||||
}
|
||||
|
||||
$newContent | Out-File -FilePath $envFile -Encoding UTF8
|
||||
Write-Host "Created .env file from template with generated secrets" -ForegroundColor Green
|
||||
} else {
|
||||
# Create minimal .env file
|
||||
$minimalEnv = @(
|
||||
"# Bootstrap App Environment Configuration",
|
||||
"# Generated on $(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')",
|
||||
"",
|
||||
"# CRITICAL SECURITY SETTINGS (REQUIRED)",
|
||||
"JWT_SECRET=$jwtSecret",
|
||||
"APP_SECRET=$appSecret",
|
||||
"APP_SECRET_CODE=$appSecretCode",
|
||||
"ENCRYPTION_KEY=$encryptionKey",
|
||||
"",
|
||||
"# CORE APPLICATION SETTINGS",
|
||||
"DB_NAME=app.db",
|
||||
"PORT=3000",
|
||||
"CORS_ALLOWED_ORIGIN=http://localhost:5173",
|
||||
"DEFAULT_ADMIN_PASSWORD=change-this-password"
|
||||
)
|
||||
|
||||
$minimalEnv | Out-File -FilePath $envFile -Encoding UTF8
|
||||
Write-Host "Created minimal .env file with generated secrets" -ForegroundColor Green
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Write-Host ""
|
||||
Write-Host "Security Notes:" -ForegroundColor Red
|
||||
Write-Host "===============" -ForegroundColor Red
|
||||
Write-Host "1. Keep these secrets secure and never commit them to version control" -ForegroundColor Yellow
|
||||
Write-Host "2. Use different secrets for each environment (dev, staging, production)" -ForegroundColor Yellow
|
||||
Write-Host "3. Rotate secrets regularly in production environments" -ForegroundColor Yellow
|
||||
Write-Host "4. The ENCRYPTION_KEY is exactly 32 characters as required for AES-256" -ForegroundColor Yellow
|
||||
Write-Host "5. Change the DEFAULT_ADMIN_PASSWORD immediately after first login" -ForegroundColor Yellow
|
||||
Write-Host ""
|
||||
|
||||
# Verify encryption key length
|
||||
if ($encryptionKey.Length -eq 32) { # 32 characters = 32 bytes when converted to []byte in Go
|
||||
Write-Host "✓ Encryption key length verified (32 characters = 32 bytes for AES-256)" -ForegroundColor Green
|
||||
} else {
|
||||
Write-Host "✗ Warning: Encryption key length is incorrect! Got $($encryptionKey.Length) chars, expected 32" -ForegroundColor Red
|
||||
}
|
||||
|
||||
Write-Host ""
|
||||
Write-Host "Next steps:" -ForegroundColor Cyan
|
||||
Write-Host "1. Review and customize the .env file if needed" -ForegroundColor White
|
||||
Write-Host "2. Build and run the application: go run cmd/api/main.go" -ForegroundColor White
|
||||
Write-Host "3. Change the default admin password on first login" -ForegroundColor White
|
||||
Write-Host "4. Access the API documentation at: http://localhost:3000/swagger/" -ForegroundColor White
|
||||
Write-Host ""
|
||||
Write-Host "Happy coding! 🚀" -ForegroundColor Green
|
||||
Reference in New Issue
Block a user