Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • Bookmarks
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor
  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

Cloudron Forum
Apps | Demo | Docs | Install
  1. Cloudron Forum
  2. Monica
  3. Monica key and salt

Monica key and salt

Scheduled Pinned Locked Moved Solved Monica
monica
3 Posts 3 Posters 995 Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • U Offline
    U Offline
    uiharu
    wrote on last edited by girish
    #1

    In /app/data/env
    HASH_SALT is ChangeMeBy20+KeyLength

    Is this of any security concern?

    Also, on a Monica instance upgraded from earlier versions, the APP_KEY also appeared to be an unchanged default. I've since reinstalled the app.

    Thanks 🙂

    1 Reply Last reply
    0
    • nebulonN Offline
      nebulonN Offline
      nebulon Staff
      wrote on last edited by
      #2

      The HASH_SALT does look a bit concerning, have to look into this.
      The APP_KEY is now generated on first startup and thus unique to your installation. If you want to recreate it, you have to run php artisan db:seed --class ActivityTypesTableSeeder --force from within a terminal into the app (You can get this through the Cloudron dashbaord) However I don't think this is required, given that it is unique to your instance already.

      1 Reply Last reply
      1
      • girishG Offline
        girishG Offline
        girish Staff
        wrote on last edited by
        #3

        https://github.com/monicahq/monica/issues/381 is the security concern.

        Using the ID can allow people to get a very good sense of how many users are on the system and the amount of contacts. It also is information leakage because I know all the URLs for every contact.

I think using a hashid based on the contact id, the user creating it and maybe another factor would work great.
        1 Reply Last reply
        0

        • Login
        • Don't have an account? Register
        • Login or register to search.
        • First post
          Last post
        0
        • Categories
        • Recent
        • Tags
        • Popular
        • Bookmarks