yiekheng/cm_bot_v2
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
cm_bot_v2/scripts/gen_auth_secret.sh
yiekheng ebccad2094 B4 cutover: retire Flask cm-web, rename cm-web-next → cm-web 
End-state: a single web service (Next.js dashboard) per deployment, no
side-by-side Flask UI. The image name 'cm-web' now points at the Next.js
build; the legacy 'cm-web-next' tag is no longer published.

Changes:
- Delete app/cm_web_view.py and the Flask docker/web/Dockerfile.
- Rename docker/web-next/ → docker/web/ (Next.js Dockerfile takes the
  cm-web slot).
- docker-compose.yml: drop the web-view service. Rename web-next → web,
  container ${CM_DEPLOY_NAME}-web-next → ${CM_DEPLOY_NAME}-web, image
  cm-web-next → cm-web, named volume web-next-auth-data → web-auth-data.
  transfer-bot's depends_on no longer references web-view (vestigial
  startup ordering, never a runtime dependency).
- docker-compose.override.yml: same rename, dockerfile path updated.
- envs: drop CM_WEB_NEXT_HOST_PORT. Repurpose CM_WEB_HOST_PORT for the
  Next.js port (8010 dev, 8011 rex, 8012 siong) — same numeric values
  formerly held by CM_WEB_NEXT_HOST_PORT, so aaPanel routes don't move.
- scripts/dev.sh: drops web-view + web-next from up/reset-db/logs;
  --remove-orphans still cleans up legacy containers from before cutover.
- scripts/publish.sh: drop the cm-web-next build target.
- tests/test_debug_enabled.py: drop app.cm_web_view from the helper
  matrix (cm_api is now the only Flask entrypoint with _debug_enabled).
- AGENTS.md / README.md / docs/aapanel-hardening.md: rewrite Flask-era
  references; add migration steps for existing stacks; update aaPanel
  port references (8000/8001/8005 → 8010/8011/8012).
- .gitignore: add .env, .venv/, .playwright-mcp/, node_modules/, .next/
  so 'git add -A' can't accidentally stage secrets or build artifacts.

Operator action required to upgrade an existing deployment:
  1. .env: drop CM_WEB_NEXT_HOST_PORT line. Set CM_WEB_HOST_PORT to
     what CM_WEB_NEXT_HOST_PORT was. Make sure CM_AUTH_SECRET is set.
  2. aaPanel: if proxy_pass pointed at the legacy Flask port
     (8000/8001/8005), switch it to the new one (8010/8011/8012).
  3. Pull the new cm-web image (Next.js) and redeploy the stack. The
     old ${CM_DEPLOY_NAME}-web-view and ${CM_DEPLOY_NAME}-web-next
     containers will be replaced by a single ${CM_DEPLOY_NAME}-web.

Verified locally: docker-compose YAML parses; transfer-bot runtime is
unchanged (only depends_on tidied); 38-test python suite passes.
2026-05-03 10:12:20 +08:00

82 lines
2.4 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# Generate a 32-byte (64 hex chars) CM_AUTH_SECRET for cm-web session
# signing. Prints the value to stdout, or appends/replaces it in a target
# .env file with --write.
set -euo pipefail
usage() {
cat <<'EOF'
Generate a CM_AUTH_SECRET for cm-web.
Usage:
scripts/gen_auth_secret.sh Print a fresh secret to stdout.
scripts/gen_auth_secret.sh --write Set CM_AUTH_SECRET= in ./.env
(creates the file if missing,
replaces the line if present).
scripts/gen_auth_secret.sh --write PATH Same, against an explicit .env path.
Notes:
- Requires `openssl` (falls back to /dev/urandom if missing).
- Rotating the secret invalidates every existing session — every signed-in
operator gets bounced to /cm-auth on the next request.
EOF
}
generate() {
if command -v openssl >/dev/null 2>&1; then
openssl rand -hex 32
else
head -c 32 /dev/urandom | xxd -p -c 64
fi
}
write_into() {
local target="$1"
local secret
secret="$(generate)"
if [[ -f "${target}" ]] && grep -q '^CM_AUTH_SECRET=' "${target}"; then
# Replace in place. Use a tmp file so we don't truncate on failure.
local tmp
tmp="$(mktemp)"
awk -v s="${secret}" '
/^CM_AUTH_SECRET=/ { print "CM_AUTH_SECRET=" s; next }
{ print }
' "${target}" >"${tmp}"
mv "${tmp}" "${target}"
echo "Replaced CM_AUTH_SECRET in ${target}"
else
[[ -f "${target}" ]] || touch "${target}"
# Add a leading newline only if the file already has content and doesn't
# end with a newline.
if [[ -s "${target}" && -n "$(tail -c 1 "${target}")" ]]; then
printf '\n' >>"${target}"
fi
printf 'CM_AUTH_SECRET=%s\n' "${secret}" >>"${target}"
echo "Appended CM_AUTH_SECRET to ${target}"
fi
echo "Restart the web service to pick up the new secret:"
echo " bash scripts/dev.sh down && bash scripts/dev.sh up"
echo " # or, in production: docker compose restart web"
}
case "${1:-}" in
-h|--help)
usage
;;
--write)
target="${2:-.env}"
ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
# Resolve relative paths against the repo root, not CWD.
[[ "${target}" = /* ]] || target="${ROOT_DIR}/${target}"
write_into "${target}"
;;
"")
generate
;;
*)
echo "Unknown option: $1" >&2
usage >&2
exit 2
;;
esac
Reference in New Issue View Git Blame Copy Permalink