[BUG] Why is the JWT encode/decode token replaced by the start script?

keitaroinc / docker-ckan

CKAN docker images, docker-compose and examples

Apache License 2.0

72 stars 51 forks source link

[BUG] Why is the JWT encode/decode token replaced by the start script? #107

Closed b-a0 closed 1 year ago

b-a0 commented 1 year ago

start_ckan.sh replaces the api_token.jwt.encode.secret and api_token.jwt.decode.secret values when the beaker.session.secret is empty (which it is by default).

I understand that one can set these values in the .ckan-env file, but I don't understand why that is needed? If you let ckan just create its config (ckan generate config) these keys get a default value. Why not keep that default value and only overwrite through env vars when it is not sufficient?

Filip3mac commented 1 year ago

@b-a0 Sorry for late reply @stojanovskis1 @blazhovsky Please reply.

blazhovsky commented 1 year ago

@b-a0 this is a known security issue. You can see the changes here