feat: enhance JWT_SECRET handling with auto-generation and persistence

Dockerfile

@@ -2,7 +2,7 @@
 
 FROM oven/bun:1.2.9-alpine AS base
 WORKDIR /app
-RUN apk add --no-cache libc6-compat python3 make g++ gcc wget sqlite
+RUN apk add --no-cache libc6-compat python3 make g++ gcc wget sqlite openssl
 
 # ----------------------------
 FROM base AS deps

README.md

@@ -233,8 +233,10 @@ The Docker container can be configured with the following environment variables:
 - `DATABASE_URL`: SQLite database URL (default: `file:data/gitea-mirror.db`)
 - `HOST`: Host to bind to (default: `0.0.0.0`)
 - `PORT`: Port to listen on (default: `4321`)
-- `JWT_SECRET`: Secret key for JWT token generation (important for security)
+- `JWT_SECRET`: Secret key for JWT token generation (auto-generated if not provided)
 
+> [!TIP]
+> For security, Gitea Mirror will automatically generate a secure random JWT secret on first run if one isn't provided or if the default value is used. This generated secret is stored in the data directory for persistence across container restarts.
 
 #### Manual Installation
 

docker-entrypoint.sh

@@ -5,6 +5,31 @@ set -e
 # Ensure data directory exists
 mkdir -p /app/data
 
+# Generate a secure JWT secret if one isn't provided or is using the default value
+JWT_SECRET_FILE="/app/data/.jwt_secret"
+if [ "$JWT_SECRET" = "your-secret-key-change-this-in-production" ] || [ -z "$JWT_SECRET" ]; then
+  # Check if we have a previously generated secret
+  if [ -f "$JWT_SECRET_FILE" ]; then
+    echo "Using previously generated JWT secret"
+    export JWT_SECRET=$(cat "$JWT_SECRET_FILE")
+  else
+    echo "Generating a secure random JWT secret"
+    # Try to generate a secure random string using OpenSSL
+    if command -v openssl >/dev/null 2>&1; then
+      GENERATED_SECRET=$(openssl rand -hex 32)
+    else
+      # Fallback to using /dev/urandom if openssl is not available
+      echo "OpenSSL not found, using fallback method for random generation"
+      GENERATED_SECRET=$(head -c 32 /dev/urandom | sha256sum | cut -d' ' -f1)
+    fi
+    export JWT_SECRET="$GENERATED_SECRET"
+    # Save the secret to a file for persistence across container restarts
+    echo "$GENERATED_SECRET" > "$JWT_SECRET_FILE"
+    chmod 600 "$JWT_SECRET_FILE"
+  fi
+  echo "JWT_SECRET has been set to a secure random value"
+fi
+
 # Skip dependency installation entirely for pre-built images
 # Dependencies are already installed during the Docker build process
 

src/content/docs/configuration.md

@@ -25,13 +25,15 @@ The following environment variables can be used to configure Gitea Mirror:
 |----------|-------------|---------------|---------|
 | `NODE_ENV` | Runtime environment (development, production, test) | `development` | `production` |
 | `DATABASE_URL` | SQLite database URL | `file:data/gitea-mirror.db` | `file:path/to/your/database.db` |
-| `JWT_SECRET` | Secret key for JWT authentication | `your-secret-key-change-this-in-production` | `your-secure-random-string` |
+| `JWT_SECRET` | Secret key for JWT authentication | Auto-generated secure random string | `your-secure-random-string` |
 | `HOST` | Server host | `localhost` | `0.0.0.0` |
 | `PORT` | Server port | `4321` | `8080` |
 
 ### Important Security Note
 
-In production environments, you should always set a strong, unique `JWT_SECRET` to ensure secure authentication.
+The application will automatically generate a secure random `JWT_SECRET` on first run if one isn't provided or if the default value is used. This generated secret is stored in the data directory for persistence across container restarts.
+
+While this auto-generation feature provides good security by default, you can still explicitly set your own `JWT_SECRET` for complete control over your deployment.
 
 ## Web UI Configuration