chore: add gen_auth_secret + bootstrap env files

2026-05-09 15:12:09 +08:00 · 2026-05-09 15:12:09 +08:00 · f1831b8a56
commit f1831b8a56
parent 30168ad793
3 changed files with 95 additions and 0 deletions
--- a/.env.development
+++ b/.env.development
@ -0,0 +1,13 @@
 DATABASE_URL=postgres://placeholder:placeholder@192.168.0.210:5432/whatsapp_bot_dev
 TELEGRAM_BOT_TOKEN=placeholder
 TELEGRAM_OPERATOR_WHITELIST=0
 TELEGRAM_QR_CHAT_ID=0
 DATA_DIR=/data
 SESSIONS_DIR=/data/sessions
 MEDIA_DIR=/data/media
 BOT_HEALTH_PORT=8081
 BOT_LOG_LEVEL=debug
 SEED_OPERATOR_TELEGRAM_ID=0
 SEED_OPERATOR_NAME=Dev
 WEB_PORT=3000
 AUTH_SECRET=86f656580a58f03b6ccb43d257e0e801ecd5356e042e8886b3c7c569e29ff13c
--- a/envs/.env.example
+++ b/envs/.env.example
@ -0,0 +1,24 @@
 # === Postgres ===
 DATABASE_URL=postgres://USER:PASS@192.168.0.210:5432/whatsapp_bot_dev
 # === Telegram ===
 TELEGRAM_BOT_TOKEN=
 TELEGRAM_OPERATOR_WHITELIST=
 TELEGRAM_QR_CHAT_ID=
 # === App data paths (inside containers) ===
 DATA_DIR=/data
 SESSIONS_DIR=/data/sessions
 MEDIA_DIR=/data/media
 # === Bot service ===
 BOT_HEALTH_PORT=8081
 BOT_LOG_LEVEL=info
 # === Seed (used by scripts/db.sh seed) ===
 SEED_OPERATOR_TELEGRAM_ID=
 SEED_OPERATOR_NAME=Operator
 # === Web (placeholder for plan 3) ===
 WEB_PORT=3000
 AUTH_SECRET=
--- a/scripts/gen_auth_secret.sh
+++ b/scripts/gen_auth_secret.sh
@ -0,0 +1,58 @@
 #!/usr/bin/env bash
 # Generate a 32-byte (64 hex chars) AUTH_SECRET for web session signing.
 set -euo pipefail
 usage() {
  cat <<'EOF'
 Generate AUTH_SECRET.
 Usage:
  scripts/gen_auth_secret.sh                Print a fresh secret to stdout.
  scripts/gen_auth_secret.sh --write        Set AUTH_SECRET= in ./.env.development
                                            (creates if missing, replaces if present).
  scripts/gen_auth_secret.sh --write PATH   Same, against an explicit env path.
 EOF
 }
 generate() {
  if command -v openssl >/dev/null 2>&1; then
    openssl rand -hex 32
  else
    head -c 32 /dev/urandom | xxd -p -c 64
  fi
 }
 write_into() {
  local target="$1"
  local secret
  secret="$(generate)"
  if [[ -f "${target}" ]] && grep -q '^AUTH_SECRET=' "${target}"; then
    local tmp
    tmp="$(mktemp)"
    awk -v s="${secret}" '
      /^AUTH_SECRET=/ { print "AUTH_SECRET=" s; next }
      { print }
    ' "${target}" > "${tmp}"
    mv "${tmp}" "${target}"
    echo "Replaced AUTH_SECRET in ${target}"
  else
    [[ -f "${target}" ]] || touch "${target}"
    if [[ -s "${target}" && -n "$(tail -c 1 "${target}")" ]]; then
      printf '\n' >> "${target}"
    fi
    printf 'AUTH_SECRET=%s\n' "${secret}" >> "${target}"
    echo "Appended AUTH_SECRET to ${target}"
  fi
 }
 case "${1:-}" in
  -h|--help) usage ;;
  --write)
    target="${2:-.env.development}"
    ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
    [[ "${target}" = /* ]] || target="${ROOT_DIR}/${target}"
    write_into "${target}"
    ;;
  "") generate ;;
  *) echo "Unknown option: $1" >&2; usage >&2; exit 2 ;;
 esac