mirror of
https://gitlab.archlinux.org/archlinux/infrastructure.git
synced 2024-05-08 06:16:07 +02:00
hedgedoc: Move the client secret to the config file for security
The systemd environment variables can be read by anyone, so move the secret to the configuration file, which can only be read by root and the hedgedoc user. Fix #562
This commit is contained in:
parent
036555ad72
commit
cf20697629
|
@ -35,6 +35,9 @@
|
|||
"host": "localhost",
|
||||
"port": "5432"
|
||||
},
|
||||
"linkifyHeaderStyle": "gfm"
|
||||
"linkifyHeaderStyle": "gfm",
|
||||
"oauth2": {
|
||||
"clientSecret": "{{ vault_hedgedoc_client_secret }}"
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
@ -6,7 +6,6 @@ Environment=CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
|
|||
Environment=CMD_OAUTH2_TOKEN_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/token
|
||||
Environment=CMD_OAUTH2_AUTHORIZATION_URL=https://accounts.archlinux.org/realms/archlinux/protocol/openid-connect/auth
|
||||
Environment=CMD_OAUTH2_CLIENT_ID=openid_hedgedoc
|
||||
Environment=CMD_OAUTH2_CLIENT_SECRET={{ vault_hedgedoc_client_secret }}
|
||||
Environment=CMD_OAUTH2_SCOPE="openid email profile roles"
|
||||
Environment=CMD_OAUTH2_ROLES_CLAIM=roles
|
||||
Environment=CMD_OAUTH2_ACCESS_ROLE=Staff
|
||||
|
|
Loading…
Reference in New Issue