Some folks that deploy MapRoulette locally for dev, use GH actions in some way, or have their own instances will need to update their play application secret. The application service will NOT START without updating to a secret key of at least 32 bytes.
This is not an optional change -- it is required to use a key of sufficient length.
What do I need to do?
To avoid runtime errors, you need to update the application secret which is used by the Play framework to encrypt sessions. The secret should be distinct to the server -- do not share the same key between staging, prod, GH actions, local dev, etc.
Get yourself a random key which has sufficient length, one way is to use openssl rand -base64 32 (or head -c 32 /dev/urandom | base64).
Update your setup by using one of two methods in the sub-bullets.
Set secret via conf: Set play.http.secret.key to your secret key.
Set secret via environment variable: The conf will use env variable APPLICATION_SECRET as the secret if it's set. If you have a k8s setup or GH actions, you may set the env in that variable. See this diff for an example
Run the service, it should work
This is the runtime error that is thrown when the application secret is too short:
20:52:28.444 ERROR [][application-akka.actor.default-dispatcher-6][akka.actor.OneForOneStrategy] - Unable to provision, see the following errors:
1) [Guice/ErrorInCustomProvider]: Configuration error: Configuration error[
The application secret is too short and does not have the recommended amount of entropy for algorithm HS256 defined at play.http.session.jwt.signatureAlgorithm.
Current application secret bits: 160, minimal required bits for algorithm HS256: 256.
To set the application secret, please read https://playframework.com/documentation/latest/ApplicationSecret
]
while locating HttpConfiguration$HttpConfigurationProvider
at HttpConfiguration$CookiesConfigurationProvider.<init>(HttpConfiguration.scala:331)
\_ for 1st parameter conf
at HttpConfiguration$CookiesConfigurationProvider.class(HttpConfiguration.scala:331)
while locating HttpConfiguration$CookiesConfigurationProvider
at DefaultCookieHeaderEncoding.<init>(Cookie.scala:387)
\_ for 1st parameter config
while locating DefaultCookieHeaderEncoding
at DefaultRequestFactory.<init>(RequestFactory.scala:94)
\_ for 1st parameter cookieHeaderEncoding
while locating DefaultRequestFactory
at DefaultApplication.<init>(Application.scala:178)
\_ for 5th parameter requestFactory
at DefaultApplication.class(Application.scala:177)
while locating DefaultApplication
at SchedulerActor.<init>(SchedulerActor.scala:45)
\_ for 2nd parameter application
at SchedulerActor.class(SchedulerActor.scala:44)
while locating SchedulerActor
Learn more:
https://github.com/google/guice/wiki/ERROR_IN_CUSTOM_PROVIDER
ljdelight
commented
3 months ago
Some folks that deploy MapRoulette locally for dev, use GH actions in some way, or have their own instances will need to update their play application secret. The application service will NOT START without updating to a secret key of at least 32 bytes.
See https://playframework.com/documentation/latest/ApplicationSecret for more information.
This is not an optional change -- it is required to use a key of sufficient length.
What do I need to do?
To avoid runtime errors, you need to update the application secret which is used by the Play framework to encrypt sessions. The secret should be distinct to the server -- do not share the same key between staging, prod, GH actions, local dev, etc.
openssl rand -base64 32(orhead -c 32 /dev/urandom | base64).play.http.secret.keyto your secret key.APPLICATION_SECRETas the secret if it's set. If you have a k8s setup or GH actions, you may set the env in that variable. See this diff for an exampleThis is the runtime error that is thrown when the application secret is too short: