andreas/mautrix-whatsapp-cloudron
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add automatic token generation for security

Browse Source
This commit is contained in:
Andreas Dueren
2025-06-16 12:36:46 -06:00
parent 2fa272436e
commit 63f67862d0
1 changed files with 37 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
start.sh
View File

@ -26,7 +26,11 @@ if [ ! -f "$CONFIG_PATH" ]; then
# Generate config as root first, then fix permissions # Generate config as root first, then fix permissions
/app/pkg/mautrix-whatsapp -g -c "$CONFIG_PATH" -r "$REGISTRATION_PATH" || { /app/pkg/mautrix-whatsapp -g -c "$CONFIG_PATH" -r "$REGISTRATION_PATH" || {
echo "=> Config generation failed, creating minimal config" echo "=> Config generation failed, creating minimal config"
cat > "$CONFIG_PATH" << 'EOF' # Generate secure random tokens
AS_TOKEN=$(openssl rand -hex 32)
HS_TOKEN=$(openssl rand -hex 32)
cat > "$CONFIG_PATH" << EOF
homeserver: homeserver:
address: https://matrix.example.com address: https://matrix.example.com
domain: example.com domain: example.com
@ -35,6 +39,8 @@ appservice:
address: https://example.com address: https://example.com
hostname: 0.0.0.0 hostname: 0.0.0.0
port: 29318 port: 29318
as_token: $AS_TOKEN
hs_token: $HS_TOKEN
database: database:
type: postgres type: postgres
uri: postgres://user:pass@localhost/db uri: postgres://user:pass@localhost/db
@ -51,11 +57,11 @@ logging:
filename: /app/data/mautrix-whatsapp.log filename: /app/data/mautrix-whatsapp.log
level: info level: info
EOF EOF
cat > "$REGISTRATION_PATH" << 'EOF' cat > "$REGISTRATION_PATH" << EOF
id: whatsapp id: whatsapp
url: https://example.com url: https://example.com
as_token: generated_token as_token: $AS_TOKEN
hs_token: generated_token hs_token: $HS_TOKEN
rate_limited: false rate_limited: false
sender_localpart: whatsappbot sender_localpart: whatsappbot
namespaces: namespaces:
@ -116,7 +122,7 @@ else
yq -i ".logging.level = \"info\"" "$CONFIG_PATH" 2>/dev/null || true yq -i ".logging.level = \"info\"" "$CONFIG_PATH" 2>/dev/null || true
fi fi
# Fix homeserver domain configuration # Fix homeserver domain configuration and tokens
if [ -n "${CLOUDRON_APP_DOMAIN:-}" ]; then if [ -n "${CLOUDRON_APP_DOMAIN:-}" ]; then
BASE_DOMAIN=$(echo "$CLOUDRON_APP_DOMAIN" | cut -d. -f2-) BASE_DOMAIN=$(echo "$CLOUDRON_APP_DOMAIN" | cut -d. -f2-)
CURRENT_DOMAIN=$(yq -r ".homeserver.domain // empty" "$CONFIG_PATH" 2>/dev/null) CURRENT_DOMAIN=$(yq -r ".homeserver.domain // empty" "$CONFIG_PATH" 2>/dev/null)
@ -126,6 +132,32 @@ else
yq -i ".homeserver.domain = \"$BASE_DOMAIN\"" "$CONFIG_PATH" yq -i ".homeserver.domain = \"$BASE_DOMAIN\"" "$CONFIG_PATH"
yq -i ".appservice.address = \"https://$CLOUDRON_APP_DOMAIN\"" "$CONFIG_PATH" yq -i ".appservice.address = \"https://$CLOUDRON_APP_DOMAIN\"" "$CONFIG_PATH"
fi fi
# Update registration file with correct URL
if [ -f "$REGISTRATION_PATH" ]; then
yq -i ".url = \"https://$CLOUDRON_APP_DOMAIN\"" "$REGISTRATION_PATH" 2>/dev/null || true
fi
fi
# Ensure tokens exist
if [ -f "$CONFIG_PATH" ] && [ -f "$REGISTRATION_PATH" ]; then
AS_TOKEN=$(yq -r ".as_token // empty" "$REGISTRATION_PATH" 2>/dev/null)
HS_TOKEN=$(yq -r ".hs_token // empty" "$REGISTRATION_PATH" 2>/dev/null)
# Generate tokens if missing
if [ -z "$AS_TOKEN" ] || [ "$AS_TOKEN" = "generated_token" ]; then
AS_TOKEN=$(openssl rand -hex 32)
echo "=> Generating new as_token"
yq -i ".as_token = \"$AS_TOKEN\"" "$REGISTRATION_PATH" 2>/dev/null || true
yq -i ".appservice.as_token = \"$AS_TOKEN\"" "$CONFIG_PATH" 2>/dev/null || true
fi
if [ -z "$HS_TOKEN" ] || [ "$HS_TOKEN" = "generated_token" ]; then
HS_TOKEN=$(openssl rand -hex 32)
echo "=> Generating new hs_token"
yq -i ".hs_token = \"$HS_TOKEN\"" "$REGISTRATION_PATH" 2>/dev/null || true
yq -i ".appservice.hs_token = \"$HS_TOKEN\"" "$CONFIG_PATH" 2>/dev/null || true
fi
fi fi
fi fi
fi fi