bda5556d37
Remediates the two web-console residuals from the 2026-07-05 posture audit: - Brute-force throttle (loginThrottle.ts): per-IP exponential backoff after 5 free attempts, plus a global floor for spread-out floods, keyed on the socket peer IP (not spoofable X-Forwarded-For) with a size-capped map. The constant-time compare already stopped the timing leak; this bounds guess *volume* against a by-design LAN-exposed console. - Session seal key now derives from the high-entropy mgmt token instead of the low-entropy login password, so a captured cookie is no longer an offline password oracle. Falls back to the password only when no token is configured (dev/local). Rotating the token now invalidates sessions. - Replace the process-wide NODE_TLS_REJECT_UNAUTHORIZED=0 with per-request Bun TLS scoped to the loopback proxy hop; a non-loopback mgmt URL now verifies normally. Dropped the env var from the systemd unit, Steam Deck installer, Windows run scripts, env examples, and web README. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
47 lines
2.6 KiB
Bash
47 lines
2.6 KiB
Bash
# punktfunk web — management console (Nitro server on bun) configuration.
|
|
# Copy to `.env` (gitignored) or set these in the environment of `bun .output/server/index.mjs`.
|
|
# NOTE: on a packaged install (the punktfunk-web .deb) you edit NOTHING — the systemd --user units
|
|
# auto-wire these from the host's ~/.config/punktfunk/{mgmt-token,web-password,cert.pem,key.pem}.
|
|
# See web.env.example.
|
|
|
|
# REQUIRED in production: the shared login password for the console. The built Nitro
|
|
# server fails CLOSED (503 on every request) if this is unset, so a LAN-exposed server
|
|
# never admits anyone by accident.
|
|
PUNKTFUNK_UI_PASSWORD=change-me
|
|
|
|
# Management API the console proxies to. It serves HTTPS (the host's own identity cert) and
|
|
# requires auth (mTLS or the bearer below). Keep this loopback — the login-gated web server is
|
|
# the only path to it.
|
|
PUNKTFUNK_MGMT_URL=https://127.0.0.1:47990
|
|
|
|
# REQUIRED: bearer token for the management API, injected server-side by the /api proxy (never
|
|
# sent to the browser). Must match the host's `--mgmt-token` / PUNKTFUNK_MGMT_TOKEN — otherwise
|
|
# the proxy gets 401.
|
|
PUNKTFUNK_MGMT_TOKEN=
|
|
|
|
# NOTE: NODE_TLS_REJECT_UNAUTHORIZED is intentionally NOT set. The host's self-signed loopback cert
|
|
# is accepted only for the /api proxy's loopback hop — scoped inside the proxy code (Bun per-request
|
|
# TLS: server/routes/api/[...].ts), so it can never silently unverify some other outbound TLS. A
|
|
# NON-loopback PUNKTFUNK_MGMT_URL is verified normally (present a valid chain).
|
|
|
|
# OPTIONAL: explicit cookie-sealing secret (>= 32 chars). If unset, the key is derived from the
|
|
# high-entropy PUNKTFUNK_MGMT_TOKEN (so a captured cookie is NOT an offline password oracle); only if
|
|
# no token is configured (dev/local) does it fall back to deriving from PUNKTFUNK_UI_PASSWORD.
|
|
# Rotating the mgmt token invalidates existing sessions.
|
|
# PUNKTFUNK_UI_SECRET=
|
|
|
|
# TLS: serve the console over HTTPS (HTTP/1.1 over TLS) using the HOST's own identity cert (the cert
|
|
# native clients already pin). Point these at the host's PEM files; BOTH set ⇒ HTTPS. Unset ⇒ plain
|
|
# HTTP (local dev only). (No HTTP/2 or HTTP/3: Bun.serve has no HTTP/2 server, and a browser won't
|
|
# speak HTTP/3/QUIC against this self-signed, no-SAN host cert.)
|
|
PUNKTFUNK_UI_TLS_CERT=/home/you/.config/punktfunk/cert.pem
|
|
PUNKTFUNK_UI_TLS_KEY=/home/you/.config/punktfunk/key.pem
|
|
|
|
# REQUIRED when serving over TLS: mark the session cookie Secure (browsers drop a Secure cookie over
|
|
# plain http://, so it is OFF by default; turn it ON whenever PUNKTFUNK_UI_TLS_* is set).
|
|
PUNKTFUNK_UI_SECURE=1
|
|
|
|
# The Bun server binds these (standard Nitro env):
|
|
# PORT=47992
|
|
# HOST=0.0.0.0
|