create app keys at app creation instead of runtime auto-generation

examples/getstarted/config/middlewares.js

@@ -10,12 +10,7 @@ module.exports = ({ env }) => [
   'strapi::logger',
   'strapi::query',
   'strapi::body',
-  {
-    name: 'strapi::session',
-    config: {
-      secretKeys: env('SESSION_SECRET_KEYS'),
-    },
-  },
+  'strapi::session',
   // 'strapi::compression',
   // 'strapi::ip',
   {

examples/getstarted/config/server.js

@@ -5,8 +5,12 @@ const cronTasks = require('./src/cron-tasks');
 module.exports = ({ env }) => ({
   host: env('HOST', '0.0.0.0'),
   port: env.int('PORT', 1337),
+  url: 'http://localhost:1337',
   cron: {
     enabled: true,
     tasks: cronTasks,
   },
+  app: {
+    keys: env.array('APP_SECRETS', ['toBeModified1', 'toBeModified2']),
+  },
 });

packages/core/strapi/lib/middlewares/session.js

@@ -1,7 +1,6 @@
 'use strict';
 
-const crypto = require('crypto');
-const { defaultsDeep, isEmpty, isString, omit, has } = require('lodash/fp');
+const { defaultsDeep, isEmpty, isArray } = require('lodash/fp');
 const session = require('koa-session');
 
 const defaultConfig = {
@@ -13,34 +12,17 @@ const defaultConfig = {
   signed: true,
   rolling: false,
   renew: false,
-  secure: false,
+  secure: process.env.NODE_ENV === 'production' ? true : false,
   sameSite: null,
 };
 
 module.exports = (userConfig, { strapi }) => {
-  if (isEmpty(strapi.server.app.keys)) {
-    let secretKeys = [];
-
-    if (has('secretKeys', userConfig)) {
-      secretKeys = isString(userConfig.secretKeys)
-        ? userConfig.secretKeys.split(',')
-        : userConfig.secretKeys;
-    } else if (has('SESSION_SECRET_KEYS', process.env)) {
-      secretKeys = process.env.SESSION_SECRET_KEYS.split(',');
-    } else {
-      // auto generate secret keys if they are not provided
-      for (let i = 0; i < 4; i++) {
-        secretKeys.push(crypto.randomBytes(64).toString('hex'));
-      }
-      strapi.fs.appendFile('.env', `SESSION_SECRET_KEYS=${secretKeys.join(',')}\n`);
-      strapi.log.info(
-        'The session middleware automatically generated some secret keys and stored them in your .env file under the name SESSION_SECRET_KEYS.'
-      );
-    }
-
-    strapi.server.app.keys = secretKeys;
+  const keys = strapi.server.app.keys;
+  if (!isArray(keys) || isEmpty(keys) || keys.some(isEmpty)) {
+    throw new Error(`App keys are required. Please set app.keys in config/server.js (ex: keys: ['myKeyA', 'myKeyB'])`);
   }
-  const config = defaultsDeep(defaultConfig, omit('secretKeys', userConfig));
+
+  const config = defaultsDeep(defaultConfig, userConfig);
 
   strapi.server.use(session(config, strapi.server.app));
 };

packages/core/strapi/lib/services/server/index.js

@@ -28,7 +28,10 @@ const healthCheck = async ctx => {
  * @returns {Server}
  */
 const createServer = strapi => {
-  const app = createKoaApp({ proxy: strapi.config.get('server.proxy') });
+  const app = createKoaApp({
+    proxy: strapi.config.get('server.proxy'),
+    keys:  strapi.config.get('server.app.keys'),
+  });
 
   const router = new Router();
 

packages/core/strapi/lib/services/server/koa.js

@@ -53,8 +53,9 @@ const addCustomMethods = app => {
   return app;
 };
 
-const createKoaApp = ({ proxy }) => {
+const createKoaApp = ({ proxy, keys }) => {
   const app = new Koa({ proxy });
+  app.keys = keys;
 
   addCustomMethods(app);
 

packages/generators/app/lib/create-project.js

@@ -17,6 +17,7 @@ const mergeTemplate = require('./utils/merge-template.js');
 const packageJSON = require('./resources/json/package.json');
 const createDatabaseConfig = require('./resources/templates/database.js');
 const createAdminConfig = require('./resources/templates/admin-config.js');
+const createEnvFile = require('./resources/templates/env.js');
 
 module.exports = async function createProject(scope, { client, connection, dependencies }) {
   console.log(`Creating a new Strapi application at ${chalk.green(scope.rootPath)}.`);
@@ -30,6 +31,7 @@ module.exports = async function createProject(scope, { client, connection, depen
     await fse.copy(join(resources, 'files'), rootPath);
 
     // copy dot files
+    await fse.writeFile(join(rootPath, '.env'), createEnvFile());
     const dotFiles = await fse.readdir(join(resources, 'dot-files'));
     await Promise.all(
       dotFiles.map(name => {

packages/generators/app/lib/resources/dot-files/env.example

@@ -1,2 +0,0 @@
-HOST=0.0.0.0
-PORT=1337

packages/generators/app/lib/resources/files/config/server.js

@@ -1,4 +1,8 @@
 module.exports = ({ env }) => ({
   host: env('HOST', '0.0.0.0'),
   port: env.int('PORT', 1337),
+  url: env('URL', 'http://localhost:1337'),
+  app: {
+    keys: env.array('APP_SECRETS'),
+  },
 });

packages/generators/app/lib/resources/templates/env.js

@@ -0,0 +1,16 @@
+'use strict';
+
+const crypto = require('crypto');
+
+const fs = require('fs');
+const path = require('path');
+const _ = require('lodash');
+
+module.exports = () => {
+  const tmpl = fs.readFileSync(path.join(__dirname, 'env.template'));
+  const compile = _.template(tmpl);
+
+  return compile({
+    appSecrets: new Array(4).fill().map(() => crypto.randomBytes(16).toString('base64')).join(','),
+  });
+};

packages/generators/app/lib/resources/templates/env.template

@@ -0,0 +1,4 @@
+HOST=0.0.0.0
+PORT=1337
+URL=http://localhost:1337
+APP_SECRETS=<%= appSecrets %>