From 92c31939732f9061b7176ad14520e598edd7c62b Mon Sep 17 00:00:00 2001 From: Erhnysr Date: Fri, 22 May 2026 00:31:18 +0300 Subject: [PATCH] fix: remove hardcoded Engine API JWT secret and require explicit configuration The default BASE_NODE_L2_ENGINE_AUTH_RAW value was a well-known public hex string committed in the repository. Because authrpc binds to 0.0.0.0, any operator using host networking, Kubernetes, custom port mappings, or shared Docker networks was exposed to unauthenticated Engine API access. - Replace hardcoded secret in .env.mainnet and .env.sepolia with a placeholder that instructs operators to generate their own value with `openssl rand -hex 32` - Add validation in execution-entrypoint that exits with a clear error message if BASE_NODE_L2_ENGINE_AUTH_RAW is unset or still holds the placeholder value - Upgrade the existing empty-check in consensus-entrypoint to also catch the placeholder value - Document BASE_NODE_L2_ENGINE_AUTH_RAW as a required field in README.md Fixes #1086 Co-Authored-By: Claude Sonnet 4.6 --- .env.mainnet | 3 ++- .env.sepolia | 3 ++- README.md | 4 ++++ consensus-entrypoint | 6 ++++-- execution-entrypoint | 7 +++++++ 5 files changed, 19 insertions(+), 4 deletions(-) diff --git a/.env.mainnet b/.env.mainnet index ac9e52b66..a20d4d336 100644 --- a/.env.mainnet +++ b/.env.mainnet @@ -21,7 +21,8 @@ BASE_NODE_L1_TRUST_RPC="false" # -------------------- BASE_NODE_L2_ENGINE_RPC=ws://execution:8551 BASE_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt -BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a +# [REQUIRED] Generate with: openssl rand -hex 32 +BASE_NODE_L2_ENGINE_AUTH_RAW= # P2P CONFIGURATION # ----------------- diff --git a/.env.sepolia b/.env.sepolia index e518129fb..13141a627 100644 --- a/.env.sepolia +++ b/.env.sepolia @@ -21,7 +21,8 @@ BASE_NODE_L1_TRUST_RPC="false" # -------------------- BASE_NODE_L2_ENGINE_RPC=http://execution:8551 BASE_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt -BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a +# [REQUIRED] Generate with: openssl rand -hex 32 +BASE_NODE_L2_ENGINE_AUTH_RAW= # P2P CONFIGURATION # ----------------- diff --git a/README.md b/README.md index 2e0b62998..5e79148fd 100644 --- a/README.md +++ b/README.md @@ -64,6 +64,10 @@ The following are the hardware specifications we use in production: - `BASE_NODE_L1_BEACON`: your L1 beacon node endpoint - `BASE_NODE_NETWORK`: `base` or `base-sepolia` - `RETH_CHAIN`: `base` or `base-sepolia` +- `BASE_NODE_L2_ENGINE_AUTH_RAW`: a 32-byte hex secret shared between the execution and consensus containers — **never use the placeholder value**. Generate with: + ```bash + openssl rand -hex 32 + ``` ### Network Settings diff --git a/consensus-entrypoint b/consensus-entrypoint index 05b89467a..696b1c346 100755 --- a/consensus-entrypoint +++ b/consensus-entrypoint @@ -36,8 +36,10 @@ if [[ -z "${BASE_NODE_L2_ENGINE_AUTH:-}" ]]; then exit 1 fi -if [[ -z "${BASE_NODE_L2_ENGINE_AUTH_RAW:-}" ]]; then - echo "expected BASE_NODE_L2_ENGINE_AUTH_RAW to be set" 1>&2 +if [[ -z "${BASE_NODE_L2_ENGINE_AUTH_RAW:-}" || "${BASE_NODE_L2_ENGINE_AUTH_RAW}" == "" ]]; then + echo "ERROR: BASE_NODE_L2_ENGINE_AUTH_RAW is not set or still uses the placeholder value." >&2 + echo "Generate a secret and set it in your .env file:" >&2 + echo " BASE_NODE_L2_ENGINE_AUTH_RAW=\$(openssl rand -hex 32)" >&2 exit 1 fi diff --git a/execution-entrypoint b/execution-entrypoint index cea226016..8d004ed98 100755 --- a/execution-entrypoint +++ b/execution-entrypoint @@ -129,6 +129,13 @@ fi mkdir -p "$RETH_DATA_DIR" echo "Starting reth with additional args: $ADDITIONAL_ARGS" + +if [[ -z "${BASE_NODE_L2_ENGINE_AUTH_RAW:-}" || "${BASE_NODE_L2_ENGINE_AUTH_RAW}" == "" ]]; then + echo "ERROR: BASE_NODE_L2_ENGINE_AUTH_RAW is not set or still uses the placeholder value." >&2 + echo "Generate a secret and set it in your .env file:" >&2 + echo " BASE_NODE_L2_ENGINE_AUTH_RAW=\$(openssl rand -hex 32)" >&2 + exit 1 +fi echo "$BASE_NODE_L2_ENGINE_AUTH_RAW" > "$BASE_NODE_L2_ENGINE_AUTH" exec "$BINARY" node \