commit ab49325580f82fd698b4d0503625fa1bbb7f1652
from: Omar Polo <op@omarpolo.com>
date: Sun Jun 08 21:07:46 2025 UTC

actually generate a random token and send it to the subprocesses

commit - 9588300b2310754aad4bb34786bb9b0351f459f5
commit + ab49325580f82fd698b4d0503625fa1bbb7f1652
blob - 2c9b4c7b9ec28cf3ae4da688e73c2b199a61c175
blob + 73844c2b82bfd4dffc4278ec535019ca2e956b96
--- gotwebd/auth.c
+++ gotwebd/auth.c
@@ -51,16 +51,8 @@ struct gotwebd_auth_client {
 static volatile int client_cnt;
 static int inflight;
 
-static char token_secret[32];
+char auth_token_secret[32];
 
-#if 0
-int
-auth_init(void)
-{
-	arc4random_buf(token_secret);
-}
-#endif
-
 /*
  * The token format is:
  *
@@ -111,8 +103,8 @@ auth_check_token(const char *token)
 		return -1;
 	}
 
-	if (HMAC(EVP_sha256(), token_secret, sizeof(token_secret), data,
-	    len - 32, exp, NULL) == NULL) {
+	if (HMAC(EVP_sha256(), auth_token_secret, sizeof(auth_token_secret),
+	    data, len - 32, exp, NULL) == NULL) {
 		free(data);
 		return -1;
 	}
@@ -184,8 +176,8 @@ auth_gen_token(uint64_t uid, const char *hostname)
 		return NULL;
 	}
 
-	if (HMAC(EVP_sha256(), token_secret, sizeof(token_secret), tok, siz,
-	    hmac, &hmaclen) == NULL) {
+	if (HMAC(EVP_sha256(), auth_token_secret, sizeof(auth_token_secret),
+	    tok, siz, hmac, &hmaclen) == NULL) {
 		free(tok);
 		return NULL;
 	}
@@ -626,6 +618,16 @@ auth_dispatch_main(int fd, short event, void *arg)
 			break;
 		case GOTWEBD_IMSG_CTL_START:
 			auth_launch(env);
+			break;
+		case GOTWEBD_IMSG_AUTH_SECRET:
+			if (imsg_get_data(&imsg, auth_token_secret,
+			    sizeof(auth_token_secret)) == -1)
+				fatalx("%s: invalid AUTH_SECRET msg", __func__);
+			fprintf(stderr, "auth: code: ");
+			for (int i = 0; i < 16; i++)
+				fprintf(stderr, "%x",
+				    ((uint16_t *)auth_token_secret)[i]);
+			fprintf(stderr, "\n");
 			break;
 		default:
 			fatalx("%s: unknown imsg type %d", __func__,
blob - db9f586dae8ab239b36bb87983f3f6345f44b4c0
blob + 0382f7e6be608750be2c3e0ee02f50daa24bc381
--- gotwebd/gotweb.c
+++ gotwebd/gotweb.c
@@ -1677,6 +1677,16 @@ gotweb_dispatch_main(int fd, short event, void *arg)
 			break;
 		case GOTWEBD_IMSG_CTL_START:
 			gotweb_launch(env);
+			break;
+		case GOTWEBD_IMSG_AUTH_SECRET:
+			if (imsg_get_data(&imsg, auth_token_secret,
+			    sizeof(auth_token_secret)) == -1)
+				fatalx("%s: invalid AUTH_SECRET msg", __func__);
+			fprintf(stderr, "gotwebd: code: ");
+			for (int i = 0; i < 16; i++)
+				fprintf(stderr, "%x",
+				    ((uint16_t *)auth_token_secret)[i]);
+			fprintf(stderr, "\n");
 			break;
 		default:
 			fatalx("%s: unknown imsg type %d", __func__,
blob - d5aac58e76bff711acb2cff1d174502b13a6f039
blob + a11ae6f06bb79acc24e4927dce18a16c90269601
--- gotwebd/gotwebd.c
+++ gotwebd/gotwebd.c
@@ -668,6 +668,8 @@ gotwebd_configure(struct gotwebd *env, uid_t uid, gid_
 	/* gotweb need to reload its config. */
 	env->servers_pending = env->prefork_gotwebd;
 	env->gotweb_pending = env->prefork_gotwebd;
+
+	arc4random_buf(auth_token_secret, sizeof(auth_token_secret));
 
 	/* send our gotweb servers */
 	TAILQ_FOREACH(srv, &env->servers, entry) {
@@ -677,6 +679,10 @@ gotwebd_configure(struct gotwebd *env, uid_t uid, gid_
 		if (main_compose_gotweb(env, GOTWEBD_IMSG_CFG_SRV,
 		    -1, srv, sizeof(*srv)) == -1)
 			fatal("main_compose_gotweb GOTWEBD_IMSG_CFG_SRV");
+
+		if (main_compose_gotweb(env, GOTWEBD_IMSG_AUTH_SECRET, -1,
+		    auth_token_secret, sizeof(auth_token_secret)) == -1)
+			fatal("main_compose_gotweb GOTWEB_IMSG_AUTH_SECRET");
 	}
 
 	/* send our sockets */
@@ -685,8 +691,13 @@ gotwebd_configure(struct gotwebd *env, uid_t uid, gid_
 			fatalx("%s: send socket error", __func__);
 	}
 
+	if (main_compose_auth(env, GOTWEBD_IMSG_AUTH_SECRET, -1,
+	    auth_token_secret, sizeof(auth_token_secret)) == -1)
+		fatal("main_compose_gotweb GOTWEB_IMSG_AUTH_SECRET");
+
 	if (auth_privinit(env, uid, gid) == -1)
 		fatalx("cannot open authentication socket");
+
 	if (main_compose_auth(env, GOTWEBD_IMSG_CFG_SOCK, env->auth_sock->fd,
 	    NULL, 0) == -1)
 		fatal("main_compose_auth GOTWEBD_IMSG_CFG_SOCK");
blob - b5864d25a22fbb8ba0d3d41cdb8283fbf5873c39
blob + 9132227647f754018fffa6d218b2459acf39a02e
--- gotwebd/gotwebd.h
+++ gotwebd/gotwebd.h
@@ -141,6 +141,7 @@ enum imsg_type {
 	GOTWEBD_IMSG_CTL_PIPE,
 	GOTWEBD_IMSG_CTL_START,
 	GOTWEBD_IMSG_AUTH_SOCK,
+	GOTWEBD_IMSG_AUTH_SECRET,
 	GOTWEBD_IMSG_REQ_PROCESS,
 	GOTWEBD_IMSG_REQ_DONE,
 };
@@ -456,6 +457,8 @@ enum query_actions {
 	RSS,
 };
 
+extern char auth_token_secret[32];
+
 extern struct gotwebd	*gotwebd_env;
 
 typedef int (*got_render_blame_line_cb)(struct template *, const char *,