Updates to environment and initialization logic (#5683)

* fix: make TOKEN_HASH_SECRET required and add check on server start

* fix: make EXPRESS_SESSION_SECRET required and add check on server start

* fix: make jwt variables required and validate on server start

* fix: formatting

* fix: cypress tests

* fix: remove env file for cypress and refactor

* revert: changes to workflow and env examples

* update: how missing/weak default secrets are handled

* update: how auth secrets are setup and read

* fix: update env examples for docker

* fix: weak defaults list

* fix: weak defaults list

---------

Co-authored-by: yau-wd <yau.ong@workday.com>
Co-authored-by: yau-wd <246233045+yau-wd@users.noreply.github.com>

Author: 0xi4o

docker/.env.example

@@ -4,7 +4,7 @@ PORT=3000
 ############################################## DATABASE ####################################################
 ############################################################################################################
 
-DATABASE_PATH=/root/.flowise
+# DATABASE_PATH=/your_database_path/.flowise
 # DATABASE_TYPE=postgres
 # DATABASE_PORT=5432
 # DATABASE_HOST=""
@@ -21,20 +21,22 @@ DATABASE_PATH=/root/.flowise
 ############################################################################################################
 
 # SECRETKEY_STORAGE_TYPE=local #(local | aws)
-SECRETKEY_PATH=/root/.flowise
+# SECRETKEY_PATH=/your_secret_path/.flowise
 # FLOWISE_SECRETKEY_OVERWRITE=myencryptionkey # (if you want to overwrite the secret key)
 # SECRETKEY_AWS_ACCESS_KEY=<your-access-key>
 # SECRETKEY_AWS_SECRET_KEY=<your-secret-key>
 # SECRETKEY_AWS_REGION=us-west-2
 # SECRETKEY_AWS_NAME=FlowiseEncryptionKey
+# SECRETKEY_AWS_AUTH_PREFIX=Flowise # (when SECRETKEY_STORAGE_TYPE=aws, prefix for auth secret names e.g. FlowiseTokenHashSecret)
+# Auth secrets (TOKEN_HASH_SECRET, EXPRESS_SESSION_SECRET, JWT_*) can be set here or left unset to use file/AWS storage
 
 
 ############################################################################################################
 ############################################## LOGGING #####################################################
 ############################################################################################################
 
 # DEBUG=true
-LOG_PATH=/root/.flowise/logs
+# LOG_PATH=/your_log_path/.flowise/logs
 # LOG_LEVEL=info #(error | warn | info | verbose | debug)
 # LOG_SANITIZE_BODY_FIELDS=password,pwd,pass,secret,token,apikey,api_key,accesstoken,access_token,refreshtoken,refresh_token,clientsecret,client_secret,privatekey,private_key,secretkey,secret_key,auth,authorization,credential,credentials
 # LOG_SANITIZE_HEADER_FIELDS=authorization,x-api-key,x-auth-token,cookie
@@ -48,7 +50,7 @@ LOG_PATH=/root/.flowise/logs
 ############################################################################################################
 
 # STORAGE_TYPE=local (local | s3 | gcs)
-BLOB_STORAGE_PATH=/root/.flowise/storage
+# BLOB_STORAGE_PATH=/your_storage_path/.flowise/storage
 # S3_STORAGE_BUCKET_NAME=flowise
 # S3_STORAGE_ACCESS_KEY_ID=<your-access-key>
 # S3_STORAGE_SECRET_ACCESS_KEY=<your-secret-key>
@@ -91,20 +93,29 @@ BLOB_STORAGE_PATH=/root/.flowise/storage
 # ALLOW_UNAUTHORIZED_CERTS=false
 # SENDER_EMAIL=team@example.com
 
-JWT_AUTH_TOKEN_SECRET='AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD'
-JWT_REFRESH_TOKEN_SECRET='AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD'
-JWT_ISSUER='ISSUER'
-JWT_AUDIENCE='AUDIENCE'
+# Auth secrets: set via env (backwards compat) or leave unset to use file/AWS storage (SECRETKEY_PATH or SECRETKEY_STORAGE_TYPE=aws)
+# Generate a secure 32-byte secret using: openssl rand -hex 32
+# JWT_AUTH_TOKEN_SECRET=
+# JWT_REFRESH_TOKEN_SECRET=
+
+JWT_ISSUER=Flowise
+JWT_AUDIENCE=Flowise
 JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
+
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
-# EXPRESS_SESSION_SECRET=flowise
+
+# Generate a secure 32-byte secret using: openssl rand -hex 32 (or leave unset for file/AWS storage)
+# EXPRESS_SESSION_SECRET=
+
 # SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15
 # PASSWORD_SALT_HASH_ROUNDS=10
-# TOKEN_HASH_SECRET='popcorn'
+
+# Generate a secure 32-byte secret using: openssl rand -hex 32 (or leave unset for file/AWS storage)
+# TOKEN_HASH_SECRET=
 
 # WORKSPACE_INVITE_TEMPLATE_PATH=/path/to/custom/workspace_invite.hbs
 
@@ -167,7 +178,6 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # REDIS_KEEP_ALIVE=
 # ENABLE_BULLMQ_DASHBOARD=
 
-
 ############################################################################################################
 ############################################## SECURITY ####################################################
 ############################################################################################################
@@ -176,3 +186,11 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
 # TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)
+
+
+############################################################################################################
+########################################### DOCUMENT LOADERS ###############################################
+############################################################################################################
+
+# PUPPETEER_EXECUTABLE_FILE_PATH='C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'
+# PLAYWRIGHT_EXECUTABLE_FILE_PATH='C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'

docker/worker/.env.example

@@ -4,7 +4,7 @@ WORKER_PORT=5566
 ############################################## DATABASE ####################################################
 ############################################################################################################
 
-DATABASE_PATH=/root/.flowise
+# DATABASE_PATH=/your_database_path/.flowise
 # DATABASE_TYPE=postgres
 # DATABASE_PORT=5432
 # DATABASE_HOST=""
@@ -21,20 +21,22 @@ DATABASE_PATH=/root/.flowise
 ############################################################################################################
 
 # SECRETKEY_STORAGE_TYPE=local #(local | aws)
-SECRETKEY_PATH=/root/.flowise
+# SECRETKEY_PATH=/your_secret_path/.flowise
 # FLOWISE_SECRETKEY_OVERWRITE=myencryptionkey # (if you want to overwrite the secret key)
 # SECRETKEY_AWS_ACCESS_KEY=<your-access-key>
 # SECRETKEY_AWS_SECRET_KEY=<your-secret-key>
 # SECRETKEY_AWS_REGION=us-west-2
 # SECRETKEY_AWS_NAME=FlowiseEncryptionKey
+# SECRETKEY_AWS_AUTH_PREFIX=Flowise # (when SECRETKEY_STORAGE_TYPE=aws, prefix for auth secret names e.g. FlowiseTokenHashSecret)
+# Auth secrets (TOKEN_HASH_SECRET, EXPRESS_SESSION_SECRET, JWT_*) can be set here or left unset to use file/AWS storage
 
 
 ############################################################################################################
 ############################################## LOGGING #####################################################
 ############################################################################################################
 
 # DEBUG=true
-LOG_PATH=/root/.flowise/logs
+# LOG_PATH=/your_log_path/.flowise/logs
 # LOG_LEVEL=info #(error | warn | info | verbose | debug)
 # LOG_SANITIZE_BODY_FIELDS=password,pwd,pass,secret,token,apikey,api_key,accesstoken,access_token,refreshtoken,refresh_token,clientsecret,client_secret,privatekey,private_key,secretkey,secret_key,auth,authorization,credential,credentials
 # LOG_SANITIZE_HEADER_FIELDS=authorization,x-api-key,x-auth-token,cookie
@@ -48,7 +50,7 @@ LOG_PATH=/root/.flowise/logs
 ############################################################################################################
 
 # STORAGE_TYPE=local (local | s3 | gcs)
-BLOB_STORAGE_PATH=/root/.flowise/storage
+# BLOB_STORAGE_PATH=/your_storage_path/.flowise/storage
 # S3_STORAGE_BUCKET_NAME=flowise
 # S3_STORAGE_ACCESS_KEY_ID=<your-access-key>
 # S3_STORAGE_SECRET_ACCESS_KEY=<your-secret-key>
@@ -91,20 +93,29 @@ BLOB_STORAGE_PATH=/root/.flowise/storage
 # ALLOW_UNAUTHORIZED_CERTS=false
 # SENDER_EMAIL=team@example.com
 
-JWT_AUTH_TOKEN_SECRET='AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD'
-JWT_REFRESH_TOKEN_SECRET='AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD'
-JWT_ISSUER='ISSUER'
-JWT_AUDIENCE='AUDIENCE'
+# Auth secrets: set via env (backwards compat) or leave unset to use file/AWS storage (SECRETKEY_PATH or SECRETKEY_STORAGE_TYPE=aws)
+# Generate a secure 32-byte secret using: openssl rand -hex 32
+# JWT_AUTH_TOKEN_SECRET=
+# JWT_REFRESH_TOKEN_SECRET=
+
+JWT_ISSUER=Flowise
+JWT_AUDIENCE=Flowise
 JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
+
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
-# EXPRESS_SESSION_SECRET=flowise
+
+# Generate a secure 32-byte secret using: openssl rand -hex 32 (or leave unset for file/AWS storage)
+# EXPRESS_SESSION_SECRET=
+
 # SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15
 # PASSWORD_SALT_HASH_ROUNDS=10
-# TOKEN_HASH_SECRET='popcorn'
+
+# Generate a secure 32-byte secret using: openssl rand -hex 32 (or leave unset for file/AWS storage)
+# TOKEN_HASH_SECRET=
 
 # WORKSPACE_INVITE_TEMPLATE_PATH=/path/to/custom/workspace_invite.hbs
 
@@ -167,7 +178,6 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # REDIS_KEEP_ALIVE=
 # ENABLE_BULLMQ_DASHBOARD=
 
-
 ############################################################################################################
 ############################################## SECURITY ####################################################
 ############################################################################################################
@@ -176,3 +186,11 @@ JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
 # CUSTOM_MCP_SECURITY_CHECK=true
 # CUSTOM_MCP_PROTOCOL=sse #(stdio | sse)
 # TRUST_PROXY=true #(true | false | 1 | loopback| linklocal | uniquelocal | IP addresses | loopback, IP addresses)
+
+
+############################################################################################################
+########################################### DOCUMENT LOADERS ###############################################
+############################################################################################################
+
+# PUPPETEER_EXECUTABLE_FILE_PATH='C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'
+# PLAYWRIGHT_EXECUTABLE_FILE_PATH='C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe'

packages/server/.env.example

@@ -27,6 +27,8 @@ PORT=3000
 # SECRETKEY_AWS_SECRET_KEY=<your-secret-key>
 # SECRETKEY_AWS_REGION=us-west-2
 # SECRETKEY_AWS_NAME=FlowiseEncryptionKey
+# SECRETKEY_AWS_AUTH_PREFIX=Flowise # (when SECRETKEY_STORAGE_TYPE=aws, prefix for auth secret names e.g. FlowiseTokenHashSecret)
+# Auth secrets (TOKEN_HASH_SECRET, EXPRESS_SESSION_SECRET, JWT_*) can be set here or left unset to use file/AWS storage
 
 
 ############################################################################################################
@@ -91,20 +93,29 @@ PORT=3000
 # ALLOW_UNAUTHORIZED_CERTS=false
 # SENDER_EMAIL=team@example.com
 
-JWT_AUTH_TOKEN_SECRET='AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD'
-JWT_REFRESH_TOKEN_SECRET='AABBCCDDAABBCCDDAABBCCDDAABBCCDDAABBCCDD'
-JWT_ISSUER='ISSUER'
-JWT_AUDIENCE='AUDIENCE'
+# Auth secrets: set via env (backwards compat) or leave unset to use file/AWS storage (SECRETKEY_PATH or SECRETKEY_STORAGE_TYPE=aws)
+# Generate a secure 32-byte secret using: openssl rand -hex 32
+# JWT_AUTH_TOKEN_SECRET=
+# JWT_REFRESH_TOKEN_SECRET=
+
+JWT_ISSUER=Flowise
+JWT_AUDIENCE=Flowise
 JWT_TOKEN_EXPIRY_IN_MINUTES=360
 JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES=43200
+
 # EXPIRE_AUTH_TOKENS_ON_RESTART=true # (if you need to expire all tokens on app restart)
-# EXPRESS_SESSION_SECRET=flowise
+
+# Generate a secure 32-byte secret using: openssl rand -hex 32 (or leave unset for file/AWS storage)
+# EXPRESS_SESSION_SECRET=
+
 # SECURE_COOKIES=
 
 # INVITE_TOKEN_EXPIRY_IN_HOURS=24
 # PASSWORD_RESET_TOKEN_EXPIRY_IN_MINS=15
 # PASSWORD_SALT_HASH_ROUNDS=10
-# TOKEN_HASH_SECRET='popcorn'
+
+# Generate a secure 32-byte secret using: openssl rand -hex 32 (or leave unset for file/AWS storage)
+# TOKEN_HASH_SECRET=
 
 # WORKSPACE_INVITE_TEMPLATE_PATH=/path/to/custom/workspace_invite.hbs
 

packages/server/src/enterprise/middleware/passport/index.ts

@@ -19,19 +19,21 @@ import { OrganizationUserErrorMessage, OrganizationUserService } from '../../ser
 import { OrganizationService } from '../../services/organization.service'
 import { RoleErrorMessage, RoleService } from '../../services/role.service'
 import { WorkspaceUserService } from '../../services/workspace-user.service'
+import {
+    getExpressSessionSecret,
+    getJWTAudience,
+    getJWTAuthTokenSecret,
+    getJWTIssuer,
+    getJWTRefreshTokenSecret
+} from '../../utils/authSecrets'
 import { decryptToken, encryptToken, generateSafeCopy } from '../../utils/tempTokenUtils'
 import { getAuthStrategy } from './AuthStrategy'
 import { initializeDBClientAndStore, initializeRedisClientAndStore } from './SessionPersistance'
 import { v4 as uuidv4 } from 'uuid'
 
 const localStrategy = require('passport-local').Strategy
 
-const jwtAudience = process.env.JWT_AUDIENCE || 'AUDIENCE'
-const jwtIssuer = process.env.JWT_ISSUER || 'ISSUER'
-
 const expireAuthTokensOnRestart = process.env.EXPIRE_AUTH_TOKENS_ON_RESTART === 'true'
-const jwtAuthTokenSecret = process.env.JWT_AUTH_TOKEN_SECRET || 'auth_token'
-const jwtRefreshSecret = process.env.JWT_REFRESH_TOKEN_SECRET || process.env.JWT_AUTH_TOKEN_SECRET || 'refresh_token'
 
 // Allow explicit override of cookie security settings
 // This is useful when running behind a reverse proxy/load balancer that terminates SSL
@@ -46,16 +48,11 @@ const secureCookie =
         : process.env.APP_URL?.startsWith('https')
         ? true
         : false
-const jwtOptions = {
-    secretOrKey: jwtAuthTokenSecret,
-    audience: jwtAudience,
-    issuer: jwtIssuer
-}
 
 const _initializePassportMiddleware = async (app: express.Application) => {
     // Configure session middleware
     let options: any = {
-        secret: process.env.EXPRESS_SESSION_SECRET || 'flowise',
+        secret: getExpressSessionSecret(),
         resave: false,
         saveUninitialized: false,
         cookie: {
@@ -101,6 +98,11 @@ const _initializePassportMiddleware = async (app: express.Application) => {
 export const initializeJwtCookieMiddleware = async (app: express.Application, identityManager: IdentityManager) => {
     await _initializePassportMiddleware(app)
 
+    const jwtOptions = {
+        secretOrKey: getJWTAuthTokenSecret(),
+        audience: getJWTAudience(),
+        issuer: getJWTIssuer()
+    }
     const strategy = getAuthStrategy(jwtOptions)
     passport.use(strategy)
     passport.use(
@@ -234,7 +236,7 @@ export const initializeJwtCookieMiddleware = async (app: express.Application, id
         const refreshToken = req.cookies.refreshToken
         if (!refreshToken) return res.sendStatus(401)
 
-        jwt.verify(refreshToken, jwtRefreshSecret, async (err: any, payload: any) => {
+        jwt.verify(refreshToken, getJWTRefreshTokenSecret(), async (err: any, payload: any) => {
             if (err || !payload) return res.status(401).json({ message: ErrorMessage.REFRESH_TOKEN_EXPIRED })
             // @ts-ignore
             const loggedInUser = req.user as LoggedInUser
@@ -368,7 +370,7 @@ export const generateJwtAuthToken = (user: any) => {
     if (expiryInMinutes === -1) {
         expiryInMinutes = process.env.JWT_TOKEN_EXPIRY_IN_MINUTES ? parseInt(process.env.JWT_TOKEN_EXPIRY_IN_MINUTES) : 60
     }
-    return _generateJwtToken(user, expiryInMinutes, jwtAuthTokenSecret)
+    return _generateJwtToken(user, expiryInMinutes, getJWTAuthTokenSecret())
 }
 
 export const generateJwtRefreshToken = (user: any) => {
@@ -390,17 +392,17 @@ export const generateJwtRefreshToken = (user: any) => {
             ? parseInt(process.env.JWT_REFRESH_TOKEN_EXPIRY_IN_MINUTES)
             : 129600 // 90 days
     }
-    return _generateJwtToken(user, expiryInMinutes, jwtRefreshSecret)
+    return _generateJwtToken(user, expiryInMinutes, getJWTRefreshTokenSecret())
 }
 
 const _generateJwtToken = (user: Partial<LoggedInUser>, expiryInMinutes: number, secret: string) => {
     const encryptedUserInfo = encryptToken(user?.id + ':' + user?.activeWorkspaceId)
-    return sign({ id: user?.id, username: user?.name, meta: encryptedUserInfo }, secret!, {
+    return sign({ id: user?.id, username: user?.name, meta: encryptedUserInfo }, secret, {
         expiresIn: expiryInMinutes + 'm', // Expiry in minutes
         notBefore: '0', // Cannot use before now, can be configured to be deferred.
         algorithm: 'HS256', // HMAC using SHA-256 hash algorithm
-        audience: jwtAudience, // The audience of the token
-        issuer: jwtIssuer // The issuer of the token
+        audience: getJWTAudience(),
+        issuer: getJWTIssuer()
     })
 }