lukas.pupkalipinski/BanGUI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
8138857ee1111ce21fdaf66ce522f7b2539c0ae8
BanGUI/.env.example
Lukas 8138857ee1 feat: Implement session secret rotation support 
Adds support for gradual session secret rotation without forcing logout:

- Add BANGUI_SESSION_SECRET_PREVIOUS config field for rotation window
- Implement unwrap_session_token_with_rotation() to accept tokens signed with
  either current or previous secret
- Update validate_session() to transparently accept old tokens during rotation
- Update logout() to accept tokens from both secrets
- Add comprehensive logging for rotation events and metrics
- Add 8 new tests covering all rotation scenarios
- Update documentation with step-by-step rotation strategy
- Update .env.example with previous secret field

Key features:
- No forced logout: old tokens continue working during rotation window
- Transparent validation: old tokens are automatically logged for monitoring
- Production-safe: can rotate secrets without service interruption
- Metrics-ready: logs track token rotation for observability

Rotation workflow:
1. Generate new secret and set BANGUI_SESSION_SECRET
2. Set BANGUI_SESSION_SECRET_PREVIOUS to old secret
3. Wait for old tokens to expire (≥ session_duration_minutes)
4. Unset BANGUI_SESSION_SECRET_PREVIOUS to complete rotation

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-05-01 18:01:11 +02:00

51 lines
2.4 KiB
Plaintext
Raw Blame History

# ──────────────────────────────────────────────────────────────
# BanGUI — Environment Variables Template
# Copy this file to .env and fill in the values below
# ──────────────────────────────────────────────────────────────
# Session Secret (REQUIRED)
# Generate a secure random secret for session tokens.
# WARNING: Do not use the same secret across different environments.
# Generate with: python -c 'import secrets; print(secrets.token_hex(32))'
# Example value: a1b2c3d4e5f6g7h8i9j0k1l2m3n4o5p6
BANGUI_SESSION_SECRET=
# Previous Session Secret (optional)
# Used during secret rotation to accept tokens signed with the old secret.
# Set this to the previous secret when rotating secrets, then unset it once
# all old tokens have expired. This enables gradual rotation without forcing logout.
# Leave empty unless performing a rotation.
BANGUI_SESSION_SECRET_PREVIOUS=
# Timezone (optional, defaults to UTC)
# Use standard timezone names from the IANA Time Zone Database
# Examples: America/New_York, Europe/London, Asia/Tokyo, UTC
BANGUI_TIMEZONE=UTC
# Backend port (optional, defaults to 8000)
# When using docker-compose, this is the port on your host machine
BANGUI_BACKEND_PORT=8000
# Frontend port (optional, defaults to 5173)
# When using docker-compose, this is the port on your host machine
BANGUI_FRONTEND_PORT=5173
# Public port (optional, defaults to 8080)
# When using production compose, this is the public-facing port
BANGUI_PORT=8080
# IP Geolocation (optional)
# Path to MaxMind GeoLite2-Country MMDB database file (primary resolver).
# Download from: https://www.maxmind.com/en/geolite2/signup
# If not set, geolocation is disabled (or falls back to HTTP if enabled below).
# Example: /data/GeoLite2-Country.mmdb
BANGUI_GEOIP_DB_PATH=
# IP Geolocation HTTP Fallback (optional, defaults to false)
# ⚠️ SECURITY WARNING: Only enable if you cannot mount the MaxMind database.
# When enabled, unresolved IP addresses are sent unencrypted to ip-api.com.
# This is a privacy and GDPR/CCPA concern. Do NOT enable in production unless necessary.
# Set to "true" to enable (default is "false" for security).
BANGUI_GEOIP_ALLOW_HTTP_FALLBACK=false
Reference in New Issue View Git Blame Copy Permalink