Secrets Question
95 views
Skip to first unread message
James Bearden
Jun 25, 2016, 11:31:33 AM6/25/16
to Mojolicious
I have been rotating my secrets faithfully since it has been an option (and just setting it before that) but apparently that was wasted effort. I recently upgraded to a newer version of Mojolicious and it now always warns that it needs to be changed. Digging a little deeper it seems that "startup" is not the right place to set it since that is too "late". I use "Mojolicious::Commands->start_app('MyApp')" in a script to start my server, so there does not appear to be an "earlier" place to set it. Can anyone please tell me where the proper place to set secrets if one is not using the Lite version of Mojolicious?
Thanks,
James
Thanks,
James
Pavel K
Jun 26, 2016, 3:24:57 PM6/26/16
to Mojolicious
I think something like this must be to work fine
sub startup {
my $self = shift;
$self->secrets(['stu15684ffy','tea5$6ching']);
...
}
James Bearden
Jun 27, 2016, 10:55:41 AM6/27/16
to Mojolicious
That is unfortunately exactly what I have been doing, and I still get the warning upon startup.
Павел Павлов
Jun 27, 2016, 11:44:06 AM6/27/16
to mojol...@googlegroups.com
Can you show me this part of code?
27 июня 2016 г. 17:55 пользователь "James Bearden" <nontriv...@gmail.com> написал:
--
You received this message because you are subscribed to a topic in the Google Groups "Mojolicious" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/mojolicious/EYWg8GEPg9Y/unsubscribe.
To unsubscribe from this group and all its topics, send an email to mojolicious...@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
James Bearden
Jun 27, 2016, 11:49:05 AM6/27/16
to Mojolicious
Sure, below is the top of my startup routine. I get the "passphrase needs to be changed" warning before this code is executed.
# This method will run once at server start
sub startup {
my $Self = shift;
if ($Self->app->mode eq 'development') {
$Self->app->log->level('info'); # debug, (info), warn, error, or fatal
} elsif (getpwuid($>) eq 'root') {
$Self->app->log->info("Server starting!");
$Self->app->log->level('warn');
} else {
NeoUtil::LogThis("Must be run as root!");
return;
}
# Set name for the mojolicious cookie. Maximum cookie size is 4096 bytes.
$Self->sessions->cookie_name('MyApp');
# Key to encode client cookie, which stores some session information.
$Self->secrets(['uBLR8eIgsIQ7MmZ0nfyd5UOdd48VlnUGrjYyS9regRX72qEO2b0UlQ738a',
'30J0SEIIF3UQzLYZNrgD2sh9Zm3DgYjzaN9RRmi8k1Gs0SBNk7tzd2dPg']);
And the output I am getting is:
Server available at http://127.0.0.1:3000
[Mon Jun 27 10:47:32 2016] [debug] Your secret passphrase needs to be changed
# This method will run once at server start
sub startup {
my $Self = shift;
if ($Self->app->mode eq 'development') {
$Self->app->log->level('info'); # debug, (info), warn, error, or fatal
} elsif (getpwuid($>) eq 'root') {
$Self->app->log->info("Server starting!");
$Self->app->log->level('warn');
} else {
NeoUtil::LogThis("Must be run as root!");
return;
}
# Set name for the mojolicious cookie. Maximum cookie size is 4096 bytes.
$Self->sessions->cookie_name('MyApp');
# Key to encode client cookie, which stores some session information.
$Self->secrets(['uBLR8eIgsIQ7MmZ0nfyd5UOdd48VlnUGrjYyS9regRX72qEO2b0UlQ738a',
'30J0SEIIF3UQzLYZNrgD2sh9Zm3DgYjzaN9RRmi8k1Gs0SBNk7tzd2dPg']);
And the output I am getting is:
Server available at http://127.0.0.1:3000
[Mon Jun 27 10:47:32 2016] [debug] Your secret passphrase needs to be changed
Jan Henning Thorsen
Jun 28, 2016, 9:16:43 AM6/28/16
to Mojolicious
How does the start of that package look like? Do you have this:
package MyApp;
use Mojo::Base "Mojolicious";
The string after "package" need to match whatever you pass on to start_app().
Another thing: I would not run my code as "root". If you want to listen to port 80, I would advice using https://metacpan.org/pod/Mojolicious::Plugin::SetUserGroup to make sure that the requests run as different user.
James Bearden
Jun 28, 2016, 9:23:35 AM6/28/16
to Mojolicious
It does match. The name of my app is NeoCaddy, and here is the top of the associated package:
package NeoCaddy;
use strict;
use DBI;
use Cache::Memcached::Fast;
use Config::Simple;
use File::Find::Rule;
use IO::Compress::Gzip 'gzip';
use Mojo::Base 'Mojolicious';
use Mojo::Home;
use Mojolicious::Static;
use Sys::Hostname;
package NeoCaddy;
use strict;
use DBI;
use Cache::Memcached::Fast;
use Config::Simple;
use File::Find::Rule;
use IO::Compress::Gzip 'gzip';
use Mojo::Base 'Mojolicious';
use Mojo::Home;
use Mojolicious::Static;
use Sys::Hostname;
Stefan Adams
Jun 28, 2016, 10:45:08 AM6/28/16
to mojolicious
On Tue, Jun 28, 2016 at 8:23 AM, James Bearden <nontriv...@gmail.com> wrote:
It does match. The name of my app is NeoCaddy, and here is the top of the associated package:
FWIW, this does not produce the unwanted behavior of "Your secret passphrase needs to be changed":
$ cat /tmp/secrets.pl
use Mojolicious::Commands;
# Start command line interface for application
Mojolicious::Commands->start_app('NeoCaddy');
package NeoCaddy;
use Mojo::Base 'Mojolicious';
sub startup {
my $Self = shift;
# Set name for the mojolicious cookie. Maximum cookie size is 4096 bytes.
$Self->sessions->cookie_name('MyApp');
# Key to encode client cookie, which stores some session information.
$Self->secrets(['uBLR8eIgsIQ7MmZ0nfyd5UOdd48VlnUGrjYyS9regRX72qEO2b0UlQ738a',
'30J0SEIIF3UQzLYZNrgD2sh9Zm3DgYjzaN9RRmi8k1Gs0SBNk7tzd2dPg']);
$Self->routes->get('/')->to(cb=>sub{shift->render(text => scalar localtime)});
}
$ perl /tmp/secrets.pl daemon
[Tue Jun 28 09:39:37 2016] [info] Listening at "http://*:3000"
Server available at http://127.0.0.1:3000
^C
$ perl /tmp/secrets.pl get /
[Tue Jun 28 09:39:41 2016] [debug] GET "/"
[Tue Jun 28 09:39:41 2016] [debug] Routing to a callback
[Tue Jun 28 09:39:41 2016] [debug] 200 OK (0.000403s, 2481.390/s)
Tue Jun 28 09:39:41 2016
Note in your original post you stated "I use "Mojolicious::Commands->start_app('MyApp')" in a script to start my server" but I used "Mojolicious::Commands->start_app('NeoCaddy')"
James Bearden
Jun 28, 2016, 11:15:28 AM6/28/16
to Mojolicious
I do use "NeoCaddy" in both places and haven't touch those parts of the code for a long time. I only started getting the warning when I upgraded to a newer version of mojolicious (6.15). I used MyApp in the original post basically for giggles.
So at this point it seems as though nobody can really tell my why I am getting the warning, so when I have some free time I will dig into it more and post back if I find anything. Thanks everybody for the effort.
James
Dotan Dimet
Jun 30, 2016, 2:19:59 PM6/30/16
to mojol...@googlegroups.com
Hi James,
You are getting the warning because something is calling secrets on a Mojolicious instance (presumably, your app) before you initialize it with the correct value in your startup method. The log message about changing your passphrase is in the default initializer of secrets in Mojolicious.pm.
Usually, you get that message if you don't initialize secrets only on the first request to your app (not on server startup).
So presumably something in your code is calling it before the line in your startup method. Since the section of the startup method you shared looks rather innocuous, I'd guess it might be something in a module run on "use".
Hope this is helpful,
Dotan
You are getting the warning because something is calling secrets on a Mojolicious instance (presumably, your app) before you initialize it with the correct value in your startup method. The log message about changing your passphrase is in the default initializer of secrets in Mojolicious.pm.
Usually, you get that message if you don't initialize secrets only on the first request to your app (not on server startup).
So presumably something in your code is calling it before the line in your startup method. Since the section of the startup method you shared looks rather innocuous, I'd guess it might be something in a module run on "use".
Hope this is helpful,
Dotan
On 28/06/16 18:15, James Bearden wrote:
I do use "NeoCaddy" in both places and haven't touch those parts of the code for a long time. I only started getting the warning when I upgraded to a newer version of mojolicious (6.15). I used MyApp in the original post basically for giggles.
So at this point it seems as though nobody can really tell my why I am getting the warning, so when I have some free time I will dig into it more and post back if I find anything. Thanks everybody for the effort.
James
On Tuesday, June 28, 2016 at 9:45:08 AM UTC-5, Stefan Adams wrote:
On Tue, Jun 28, 2016 at 8:23 AM, James Bearden <nontriv...@gmail.com> wrote:
It does match. The name of my app is NeoCaddy, and here is the top of the associated package:
FWIW, this does not produce the unwanted behavior of "Your secret passphrase needs to be changed":
$ cat /tmp/secrets.pluse Mojolicious::Commands;
# Start command line interface for applicationMojolicious::Commands->start_app('NeoCaddy');
package NeoCaddy;use Mojo::Base 'Mojolicious';
sub startup {my $Self = shift;# Set name for the mojolicious cookie. Maximum cookie size is 4096 bytes.$Self->sessions->cookie_name('MyApp');
# Key to encode client cookie, which stores some session information.$Self->secrets(['uBLR8eIgsIQ7MmZ0nfyd5UOdd48VlnUGrjYyS9regRX72qEO2b0UlQ738a','30J0SEIIF3UQzLYZNrgD2sh9Zm3DgYjzaN9RRmi8k1Gs0SBNk7tzd2dPg']);
$Self->routes->get('/')->to(cb=>sub{shift->render(text => scalar localtime)});}
$ perl /tmp/secrets.pl daemon
[Tue Jun 28 09:39:37 2016] [info] Listening at MailScanner has detected a possible fraud attempt from "*:3000" claiming to be "http://*:3000"Server available at MailScanner warning: numerical links are often malicious: http://127.0.0.1:3000
^C
$ perl /tmp/secrets.pl get /[Tue Jun 28 09:39:41 2016] [debug] GET "/"[Tue Jun 28 09:39:41 2016] [debug] Routing to a callback[Tue Jun 28 09:39:41 2016] [debug] 200 OK (0.000403s, 2481.390/s)Tue Jun 28 09:39:41 2016
Note in your original post you stated "I use "Mojolicious::Commands->start_app('MyApp')" in a script to start my server" but I used "Mojolicious::Commands->start_app('NeoCaddy')"
--
You received this message because you are subscribed to the Google Groups "Mojolicious" group.
To unsubscribe from this group and stop receiving emails from it, send an email to mojolicious...@googlegroups.com.
To post to this group, send email to mojol...@googlegroups.com.
Visit this group at https://groups.google.com/group/mojolicious.
For more options, visit https://groups.google.com/d/optout.
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
Pavel K
Jul 1, 2016, 2:50:09 AM7/1/16
to Mojolicious
Dotan, Thank you a lot of much!!!
Yours answer has helped me to fix the old bug in one of my old project (written on Mojolicious::Lite)!
I've been got this warning ("passphrase needs to be changed") in this case:
plugin( Mount => { '/adm' => $Bin . '/admin.pl' } );
app->secrets($cfg->{secret});
app->sessions->default_expiration($cfg->{session_exp});
app->secrets($cfg->{secret});
app->sessions->default_expiration($cfg->{session_exp});
plugin( Mount => { '/adm' => $Bin . '/admin.pl' } );
Warning is disappeared
Also I think that in the case of James Bearden the same thing
четверг, 30 июня 2016 г., 21:19:59 UTC+3 пользователь Dotan Dimet написал:
Reply all
Reply to author
Forward
0 new messages