Refactor encryption key handling: auto-generate if not provided, update README and tests

2025-11-07 00:14:25 +00:00 · 2025-10-11 21:18:24 +02:00
parent d40321685e
commit 62605b3689
6 changed files with 170 additions and 32 deletions
--- a/server/internal/app/config.go
+++ b/server/internal/app/config.go
@@ -51,9 +51,11 @@ func (c *Config) validate() error {
 		return fmt.Errorf("LEMMA_ADMIN_EMAIL and LEMMA_ADMIN_PASSWORD must be set")
 	}

-	// Validate encryption key
-	if err := secrets.ValidateKey(c.EncryptionKey); err != nil {
-		return fmt.Errorf("invalid LEMMA_ENCRYPTION_KEY: %w", err)
+	// Validate encryption key if provided (if not provided, it will be auto-generated)
+	if c.EncryptionKey != "" {
+		if err := secrets.ValidateKey(c.EncryptionKey); err != nil {
+			return fmt.Errorf("invalid LEMMA_ENCRYPTION_KEY: %w", err)
+		}
 	}

 	return nil
--- a/server/internal/app/config_test.go
+++ b/server/internal/app/config_test.go
@@ -179,15 +179,6 @@ func TestLoad(t *testing.T) {
 				},
 				expectedError: "LEMMA_ADMIN_EMAIL and LEMMA_ADMIN_PASSWORD must be set",
 			},
-			{
-				name: "missing encryption key",
-				setupEnv: func(t *testing.T) {
-					cleanup()
-					setEnv(t, "LEMMA_ADMIN_EMAIL", "admin@example.com")
-					setEnv(t, "LEMMA_ADMIN_PASSWORD", "password123")
-				},
-				expectedError: "invalid LEMMA_ENCRYPTION_KEY: encryption key is required",
-			},
 			{
 				name: "invalid encryption key",
 				setupEnv: func(t *testing.T) {
--- a/server/internal/app/init.go
+++ b/server/internal/app/init.go
@@ -19,7 +19,22 @@ import (
 // initSecretsService initializes the secrets service
 func initSecretsService(cfg *Config) (secrets.Service, error) {
 	logging.Debug("initializing secrets service")
-	secretsService, err := secrets.NewService(cfg.EncryptionKey)
+
+	// Get or generate encryption key
+	encryptionKey := cfg.EncryptionKey
+	if encryptionKey == "" {
+		logging.Debug("no encryption key provided, loading/generating from file")
+
+		// Load or generate key from file
+		secretsDir := cfg.WorkDir + "/secrets"
+		var err error
+		encryptionKey, err = secrets.EnsureEncryptionKey(secretsDir)
+		if err != nil {
+			return nil, fmt.Errorf("failed to ensure encryption key: %w", err)
+		}
+	}
+
+	secretsService, err := secrets.NewService(encryptionKey)
 	if err != nil {
 		return nil, fmt.Errorf("failed to initialize secrets service: %w", err)
 	}