Cloudron makes it easy to run web apps like WordPress, Nextcloud, GitLab on your server. Find out more or install now.


    Cloudron Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular

    Solved Monica key and salt

    Monica
    monica
    3
    3
    647
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      uiharu last edited by girish

      In /app/data/env
      HASH_SALT is ChangeMeBy20+KeyLength

      Is this of any security concern?

      Also, on a Monica instance upgraded from earlier versions, the APP_KEY also appeared to be an unchanged default. I've since reinstalled the app.

      Thanks 🙂

      1 Reply Last reply Reply Quote 0
      • nebulon
        nebulon Staff last edited by

        The HASH_SALT does look a bit concerning, have to look into this.
        The APP_KEY is now generated on first startup and thus unique to your installation. If you want to recreate it, you have to run php artisan db:seed --class ActivityTypesTableSeeder --force from within a terminal into the app (You can get this through the Cloudron dashbaord) However I don't think this is required, given that it is unique to your instance already.

        1 Reply Last reply Reply Quote 1
        • girish
          girish Staff last edited by

          https://github.com/monicahq/monica/issues/381 is the security concern.

          Using the ID can allow people to get a very good sense of how many users are on the system and the amount of contacts. It also is information leakage because I know all the URLs for every contact.

I think using a hashid based on the contact id, the user creating it and maybe another factor would work great.
          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Powered by NodeBB