From 57737e8cd48011a7bddd7ca81fbc462ac8a31fb5 Mon Sep 17 00:00:00 2001
From: "eapl.mx" <eapl@gemugami.com>
Date: Tue, 24 Dec 2024 14:35:52 -0600
Subject: [PATCH] feat(session): add validation for minimum length in
 secret_key

---
 libs/persistent_session.php | 6 +++++-
 private/config_template.ini | 6 +++---
 2 files changed, 8 insertions(+), 4 deletions(-)

diff --git a/libs/persistent_session.php b/libs/persistent_session.php
index 03e3b3d..7224923 100644
--- a/libs/persistent_session.php
+++ b/libs/persistent_session.php
@@ -9,6 +9,10 @@ if (!empty($missing_keys)) {
 	die('Missing required keys in config.ini: ' . implode(', ', $missing_keys));
 }
 
+if (strlen($config['secret_key']) < 32) {
+	die('Secret key in config.ini must be at least 32 characters long');
+}
+
 const COOKIE_NAME = 'timeline_login';
 const ENCRYPTION_METHOD = 'aes-256-cbc';
 const EXPIRATION_DAYS = 30;
@@ -113,7 +117,7 @@ function saveLogin() {
 
 function isSavedCookieValid() {
 	$cookieExpiry = getCookieData();
-	
+
 	if ($cookieExpiry === false) {
 		deletePersistentCookie();
 		return false;
diff --git a/private/config_template.ini b/private/config_template.ini
index cfef942..22ca1ea 100644
--- a/private/config_template.ini
+++ b/private/config_template.ini
@@ -42,9 +42,9 @@ webmentions_txt_path = "./mentions.txt"
 public_webmentions = "https://example.com/timeline/mentions.txt"
 
 [security]
-; Secret key to encrypt cookies
-; Create a new one here: https://randomkeygen.com
-secret_key = "553GkZzIYZKx5z0lftt4yKDG4aKb4sAG"
+; Secret key to encrypt cookies of at least 256-bit (32 characters)
+; Create one here: https://randomkeygen.com (CodeIgniter Encryption Keys)
+secret_key = ""
 
 ; Simple password
 password = "change_me"