From e2870a4d27ac689c6ac072fb82aaea593387c41c Mon Sep 17 00:00:00 2001
From: yiekheng <yiekheng@04080616.xyz>
Date: Sun, 3 May 2026 10:01:04 +0800
Subject: [PATCH] feat(scripts): add gen_auth_secret.sh helper for
 CM_AUTH_SECRET

Wraps openssl rand -hex 32 (with /dev/urandom fallback) so operators don't
have to remember the incantation. Defaults to printing the secret;
--write [path] sets/replaces CM_AUTH_SECRET in the target .env (./.env by
default) and prints the restart command.
---
 scripts/gen_auth_secret.sh | 81 ++++++++++++++++++++++++++++++++++++++
 1 file changed, 81 insertions(+)
 create mode 100755 scripts/gen_auth_secret.sh

diff --git a/scripts/gen_auth_secret.sh b/scripts/gen_auth_secret.sh
new file mode 100755
index 0000000..e5275cf
--- /dev/null
+++ b/scripts/gen_auth_secret.sh
@@ -0,0 +1,81 @@
+#!/usr/bin/env bash
+# Generate a 32-byte (64 hex chars) CM_AUTH_SECRET for cm-web-next session
+# signing. Prints the value to stdout, or appends/replaces it in a target
+# .env file with --write.
+set -euo pipefail
+
+usage() {
+  cat <<'EOF'
+Generate a CM_AUTH_SECRET for cm-web-next.
+
+Usage:
+  scripts/gen_auth_secret.sh                Print a fresh secret to stdout.
+  scripts/gen_auth_secret.sh --write        Set CM_AUTH_SECRET= in ./.env
+                                            (creates the file if missing,
+                                            replaces the line if present).
+  scripts/gen_auth_secret.sh --write PATH   Same, against an explicit .env path.
+
+Notes:
+  - Requires `openssl` (falls back to /dev/urandom if missing).
+  - Rotating the secret invalidates every existing session — every signed-in
+    operator gets bounced to /cm-auth on the next request.
+EOF
+}
+
+generate() {
+  if command -v openssl >/dev/null 2>&1; then
+    openssl rand -hex 32
+  else
+    head -c 32 /dev/urandom | xxd -p -c 64
+  fi
+}
+
+write_into() {
+  local target="$1"
+  local secret
+  secret="$(generate)"
+  if [[ -f "${target}" ]] && grep -q '^CM_AUTH_SECRET=' "${target}"; then
+    # Replace in place. Use a tmp file so we don't truncate on failure.
+    local tmp
+    tmp="$(mktemp)"
+    awk -v s="${secret}" '
+      /^CM_AUTH_SECRET=/ { print "CM_AUTH_SECRET=" s; next }
+      { print }
+    ' "${target}" >"${tmp}"
+    mv "${tmp}" "${target}"
+    echo "Replaced CM_AUTH_SECRET in ${target}"
+  else
+    [[ -f "${target}" ]] || touch "${target}"
+    # Add a leading newline only if the file already has content and doesn't
+    # end with a newline.
+    if [[ -s "${target}" && -n "$(tail -c 1 "${target}")" ]]; then
+      printf '\n' >>"${target}"
+    fi
+    printf 'CM_AUTH_SECRET=%s\n' "${secret}" >>"${target}"
+    echo "Appended CM_AUTH_SECRET to ${target}"
+  fi
+  echo "Restart web-next to pick up the new secret:"
+  echo "  bash scripts/dev.sh down && bash scripts/dev.sh up"
+  echo "  # or, in production: docker compose restart web-next"
+}
+
+case "${1:-}" in
+  -h|--help)
+    usage
+    ;;
+  --write)
+    target="${2:-.env}"
+    ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
+    # Resolve relative paths against the repo root, not CWD.
+    [[ "${target}" = /* ]] || target="${ROOT_DIR}/${target}"
+    write_into "${target}"
+    ;;
+  "")
+    generate
+    ;;
+  *)
+    echo "Unknown option: $1" >&2
+    usage >&2
+    exit 2
+    ;;
+esac