don't print provided bootstrap token; generate cookie secret

Signed-off-by: Grant Linville <[email protected]>
obot-platform · Jan 17, 2025 · 17e202c · 17e202c
1 parent 05e71cd
commit 17e202c
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 4 deletions.
diff --git a/pkg/api/handlers/authprovider.go b/pkg/api/handlers/authprovider.go
@@ -1,7 +1,10 @@
 package handlers
 
 import (
+	"crypto/rand"
+	"encoding/base64"
 	"fmt"
+	"slices"
 	"strings"
 
 	"github.com/gptscript-ai/go-gptscript"
@@ -13,6 +16,8 @@ import (
 	kclient "sigs.k8s.io/controller-runtime/pkg/client"
 )
 
+const cookieSecretEnvVar = "OBOT_AUTH_PROVIDER_COOKIE_SECRET"
+
 type AuthProviderHandler struct {
 	gptscript  *gptscript.GPTScript
 	dispatcher *dispatcher.Dispatcher
@@ -107,6 +112,12 @@ func (ap *AuthProviderHandler) Configure(req api.Context) error {
 		return err
 	}
 
+	cookieSecret, err := generateCookieSecret()
+	if err != nil {
+		return err
+	}
+	envVars[cookieSecretEnvVar] = cookieSecret
+
 	// Allow for updating credentials. The only way to update a credential is to delete the existing one and recreate it.
 	if err := ap.gptscript.DeleteCredential(req.Context(), string(ref.UID), ref.Name); err != nil && !strings.HasSuffix(err.Error(), "credential not found") {
 		return fmt.Errorf("failed to update credential: %w", err)
@@ -191,6 +202,12 @@ func convertAuthProviderToolRef(toolRef v1.ToolReference, cred map[string]string
 	if toolRef.Status.Tool != nil {
 		if toolRef.Status.Tool.Metadata["envVars"] != "" {
 			requiredEnvVars = strings.Split(toolRef.Status.Tool.Metadata["envVars"], ",")
+
+			// Remove the cookie secret environment variable if it's there.
+			idx := slices.Index(requiredEnvVars, cookieSecretEnvVar)
+			if idx != -1 {
+				requiredEnvVars = append(requiredEnvVars[:idx], requiredEnvVars[idx+1:]...)
+			}
 		}
 
 		for _, envVar := range requiredEnvVars {
@@ -214,3 +231,15 @@ func convertAuthProviderToolRef(toolRef v1.ToolReference, cred map[string]string
 		OptionalConfigurationParameters: optionalEnvVars,
 	}
 }
+
+func generateCookieSecret() (string, error) {
+	const length = 32
+
+	var bytes = make([]byte, length)
+	_, err := rand.Read(bytes)
+	if err != nil {
+		return "", fmt.Errorf("failed to generate random token: %w", err)
+	}
+
+	return base64.StdEncoding.EncodeToString(bytes), nil
+}
diff --git a/pkg/bootstrap/bootstrap.go b/pkg/bootstrap/bootstrap.go
@@ -34,9 +34,10 @@ func New(serverURL string, c *client.Client) (*Bootstrap, error) {
 		}
 
 		token = fmt.Sprintf("%x", bytes)
-	}
 
-	fmt.Printf("Bootstrap token: %s\n", token)
+		// We deliberately only print the token if it was not provided by the user.
+		fmt.Printf("Bootstrap token: %s\n", token)
+	}
 
 	return &Bootstrap{
 		token:         token,

diff --git a/ui/admin/app/components/auth-and-model-providers/Bootstrap.tsx b/ui/admin/app/components/auth-and-model-providers/Bootstrap.tsx
@@ -44,7 +44,6 @@ export function Bootstrap({ className }: BootstrapProps) {
 			className={cn("flex flex-col space-y-4", className)}
 		>
 			<h4>Enter Bootstrap Token</h4>
-			<p>The token can be found in the server logs.</p>
 			<input
 				type="password"
 				value={token}

diff --git a/ui/admin/app/components/auth-and-model-providers/constants.ts b/ui/admin/app/components/auth-and-model-providers/constants.ts
@@ -179,7 +179,6 @@ export const AuthProviderOptionalTooltips: {
 export const AuthProviderSensitiveFields: Record<string, boolean | undefined> =
 	{
 		// All
-		OBOT_AUTH_PROVIDER_COOKIE_SECRET: true,
 		OBOT_AUTH_PROVIDER_EMAIL_DOMAINS: false,
 
 		// Google