Can someone explain `config/prod.secret.exs` to me?

I am trying to understand the significance of the “secret” that is in the config/prod.secret.exs file.

I’m told I can regenerate this secret whenever I want:

mix phoenix.gen.secret

Why it is so special and what purpose does it serve?

Can I just put any random nonsense in as my secret (i.e., generated out of my head rather than from the command above)?

How would I be vulnerable if an attacker discovered the secret?

Thanks!

1 Like

Did you mean the secret_key_base config on prod.secret.exs?

The phoenix docs on session gives a brief explanation of what it is used for:

Plug uses our secret_key_base value to sign each cookie to make sure it can’t be tampered with.

As I understand it, think of it as a private key that you (the server) can use to sign anything with and send to the client, e.g. a session key or an authentication token. By “sign”-ing, it usually means concatenating the payload data and some kind of secret string, and generate a hash of it, to then be sent along the original payload.

When someone sends the session key/token back to the server (e.g. making a request), the server will then calculate the hash again with the received payload and its secret key, and compare it with the received hash. If it matches, then it means the data is intact and valid. If it mismatched then you can be sure the data has been tampered with, so you must reject the request.

If an attacker discover your secret, then they can use it to sign any data they want and make it appear as valid. It enables them to tamper server-signed data.

Say your token has a scopes field containing ["read"], you can construct a new token with the scopes set to ["read", "create", "update", "delete"], basically giving you privilege escalation.

I believe you could, but the basic rule is that it should be at least 32 characters in length. mix phoenix.gen.secret gives you 64 by default. Rather than blindly mashing your keyboard, why not use a command that already gives you one? :slight_smile: It’s not a password, so you don’t need to remember it. Hence, it’s better to use some random generated string than, for example, a random English sentence.

6 Likes

Can I just put any random nonsense in as my secret (i.e., generated out of my head rather than from the command above)?

You want something like this to be truly random.

Here’s me typing some nonsense: ;lakjwel8idclkjaz.c,j29o83lkdjca;lkz.,c@o*#

Here’s what Phoenix generates: 5AL7v/iOVr4dNgwwfQXO75Ipmdr6IpFm1u2kX/zed3k6p6E1vIi51WB8+lSi0Jjf

My nonsense is heavy on lowercase letters, and probably uses ones from the home row more than from elsewhere. If you knew that I had typed something, you’d have an easier time guessing it than if it were truly random.

2 Likes