Kyle Isom
1121b7d4fd
- Fix Bearer token extraction to validate prefix (PEN-01) - Add TestExtractBearerFromRequest covering PEN-01 edge cases - Fix flaky TestRenewToken timing (2s → 4s lifetime) - Move default config/install paths to /srv/mcias - Add RUNBOOK.md for operational procedures - Update AUDIT.md with penetration test round 4 Security: extractBearerFromRequest now uses case-insensitive prefix validation instead of fixed-offset slicing, rejecting non-Bearer Authorization schemes that were previously accepted. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
18 lines
846 B
Plaintext
18 lines
846 B
Plaintext
# /srv/mcias/env — Environment file for mciassrv (systemd EnvironmentFile).
|
|
#
|
|
# This file is loaded by the mcias.service unit before the server starts.
|
|
# It must be readable only by root and the mcias service account:
|
|
#
|
|
# chmod 0640 /srv/mcias/env
|
|
# chown root:mcias /srv/mcias/env
|
|
#
|
|
# SECURITY: This file contains the master key passphrase. Treat it with
|
|
# the same care as a private key. Do not commit it to version control.
|
|
# Back it up to a secure offline location — losing this passphrase means
|
|
# losing access to all encrypted data in the database.
|
|
|
|
# Master key passphrase. Used to derive the AES-256 master key via Argon2id.
|
|
# Choose a long, random passphrase (e.g., generated by `openssl rand -base64 32`).
|
|
# This must match the passphrase_env setting in mcias.conf.
|
|
MCIAS_MASTER_PASSPHRASE=change-me-to-a-long-random-passphrase
|