Senko-san
23 lines
904 B
Bash
23 lines
904 B
Bash
# Secret generation. Secrets are generated, never requested from the user,
|
|
# and never printed. URL-safe alphanumerics only (avoid shell/URL/env quoting
|
|
# pitfalls in .env and connection strings).
|
|
#
|
|
# Note: we deliberately avoid `... | head -c N` here. Under `set -o pipefail`
|
|
# head closes the pipe early, the upstream producer dies with SIGPIPE, and the
|
|
# whole script would abort. Instead we read a full chunk and slice in bash.
|
|
|
|
# gen_secret [LENGTH] — alphanumeric token, default 32 chars. Sets SECRET.
|
|
gen_secret() {
|
|
local len="${1:-32}" raw=""
|
|
while ((${#raw} < len)); do
|
|
# openssl finishes before tr reads EOF — no early pipe close.
|
|
raw+="$(openssl rand -base64 $((len + 16)) | LC_ALL=C tr -dc 'A-Za-z0-9')"
|
|
done
|
|
SECRET="${raw:0:len}"
|
|
}
|
|
|
|
# gen_hex BYTES — hex string (e.g. JWT secret). Sets SECRET.
|
|
gen_hex() {
|
|
SECRET="$(openssl rand -hex "${1:-32}")"
|
|
}
|