Monica key and salt



  • In /app/data/env
    HASH_SALT is ChangeMeBy20+KeyLength

    Is this of any security concern?

    Also, on a Monica instance upgraded from earlier versions, the APP_KEY also appeared to be an unchanged default. I've since reinstalled the app.

    Thanks :)



  • The HASH_SALT does look a bit concerning, have to look into this.
    The APP_KEY is now generated on first startup and thus unique to your installation. If you want to recreate it, you have to run php artisan db:seed --class ActivityTypesTableSeeder --force from within a terminal into the app (You can get this through the Cloudron dashbaord) However I don't think this is required, given that it is unique to your instance already.



  • https://github.com/monicahq/monica/issues/381 is the security concern.

    Using the ID can allow people to get a very good sense of how many users are on the system and the amount of contacts. It also is information leakage because I know all the URLs for every contact.
    
    I think using a hashid based on the contact id, the user creating it and maybe another factor would work great.