Add security hardening

[rodinux]

It is strongly recommended to set in www/common/application_config_internal.js a randomly chosen string as a salt for the password hashing. This makes it such attackers who want to bruteforce common credentials must do so again on each CryptPad instance that they wish to attack.

Context

• Hardware: VPS bought online / Old laptop or computer / Raspberry Pi at home / Internet Cube with VPN / Other ARM board / ...
• YunoHost version: 11.1.15
• I have access to my server: Through SSH | through the webadmin | direct access via keyboard / screen | ...
• Are you in a special context or did you perform some particular tweaking on your YunoHost instance?: no
• Using, or trying to install package version/branch: stable
• If upgrading, current package version: 5.2.1~ynh8

Steps to reproduce

After the installation if I create the first user on the application, I can't do this security operation or it will break the authentication.

The loginSalt should only be set when your CryptPad instance is first created. Changing it at a later time will break logins for all existing users.

For this, we need insert a chosen string in the following line:

AppConfig.loginSalt = '';

We may further want to increase the minimum password length. For this, modify the following line:

AppConfig.minimumPasswordLength = 8;

Expected behavior

Have script to do this with a ramdom key to include in this file, perhaphs something like this ??

secret_key=$(ynh_string_random --length=30)`
ynh_replace_string --match_string="AppConfig.loginSalt = '';" --replace_string="AppConfig.loginSalt ='$key';" --target_file="$install_dir/www/common/application_config_internal.js"
ynh_replace_string --match_string="AppConfig.minimumPasswordLength = 8;" --replace_string="AppConfig.minimumPasswordLength = 20;" --target_file="$install_dir/www/common/application_config_internal.js"

This means the key must be saved with an upgrade, I am not sure if it is possible to have this on upgrade script ??

It is only suggestions...

Perhaps it is most easier have a template and do ynh_add_config --template="../conf/application_config_internal.js" --destination="$install_dir/config/application_config_internal.js"

[rodinux]

Oh, it is a bad idea ! I have tested edit this file, after a first sign up, ok, but impossible after a sign out it was impossible sign in again...

[rodinux]

forget it...