[BUG] Docker image logs all keypresses by default

[duckinator]

Describe the bug

Due to the docker image passing -d in /etc/neko/supervisord.conf, it logs all key presses by default. This has the potential to compromise passwords.

To Reproduce Steps to reproduce the behavior:

1. Set up Neko as per https://n.eko.moe/#/quick-start
2. Log in
3. Take the controls
4. Type in the address bar
5. Check the logs, and note that includes information about all keypresses.

Expected behavior The default image should not double as a keylogger.

Screenshots

Desktop (please complete the following information):

• OS: Any
• Browser: Any
• Version: Any

Additional context (none)

Client Log: (not relevant)

Server Log:

neko_1  | 2020-03-27 03:08:24,773 DEBG 'neko' stdout output:                                                 [103/4812]
neko_1  | 3:08AM DBG key down KEY_H(72) module=webrtc                                                                  
neko_1  |                                                                                                              
neko_1  | 2020-03-27 03:08:24,892 DEBG 'neko' stdout output:                                                           
neko_1  | 3:08AM DBG key up KEY_H(72) module=webrtc                                                                    
neko_1  |                                                                                                              
neko_1  | 2020-03-27 03:08:25,451 DEBG 'neko' stdout output:                                                           
neko_1  | 3:08AM DBG key down KEY_E(69) module=webrtc                                                                  
neko_1  |                                                                                                              
neko_1  | 2020-03-27 03:08:25,559 DEBG 'neko' stdout output:                                                           
neko_1  | 3:08AM DBG key up KEY_E(69) module=webrtc                                                                    
neko_1  |                                                                                                              
neko_1  | 2020-03-27 03:08:26,372 DEBG 'neko' stdout output:                                                           
neko_1  | 3:08AM DBG key down KEY_L(76) module=webrtc                                                                  
neko_1  |                                                                                                              
neko_1  | 2020-03-27 03:08:26,508 DEBG 'neko' stdout output:                                  
neko_1  | 3:08AM DBG key up KEY_L(76) module=webrtc                                                                    
neko_1  |                                                                                                              
neko_1  | 2020-03-27 03:08:27,166 DEBG 'neko' stdout output:
neko_1  | 3:08AM DBG key down KEY_L(76) module=webrtc
neko_1  | 
neko_1  | 2020-03-27 03:08:27,243 DEBG 'neko' stdout output:
neko_1  | 3:08AM DBG key up KEY_L(76) module=webrtc
neko_1  | 
neko_1  | 2020-03-27 03:08:28,518 DEBG 'neko' stdout output:
neko_1  | 3:08AM DBG key down KEY_O(79) module=webrtc
neko_1  | 
neko_1  | 2020-03-27 03:08:28,594 DEBG 'neko' stdout output:
neko_1  | 3:08AM DBG key up KEY_O(79) module=webrtc

[duckinator]

You can work around this by adding the following to docker-compose.yaml (I put it before the ports: section):

    command: "sed -i 's/neko serve -d --static/neko serve --static/' /etc/neko/supervisord/neko.conf && /usr/bin/supervisord -c /etc/neko/supervisord.conf"

This just removes the -d before running supervisord.

[nurdism]

this is by design, the logs aren't written to any file (unless you want it to) I might start shipping the image with the debug option off. Not I'm not sure as of yet

[duckinator]

Perhaps you could do something like have it off by default and allow setting the NEKO_DEBUG environment variable to enable debug mode? That may be a thing, not sure; I couldn't disable debug mode using that when poking around, though.