Skip to content

feat: auto-generate sidecar secret + cache hash lookup (#338)#339

Merged
monteslu merged 1 commit into
mainfrom
feat/sidecar-secret-338
Feb 25, 2026
Merged

feat: auto-generate sidecar secret + cache hash lookup (#338)#339
monteslu merged 1 commit into
mainfrom
feat/sidecar-secret-338

Conversation

@jimleighy
Copy link
Copy Markdown
Collaborator

@jimleighy jimleighy commented Feb 25, 2026

Closes #338

Changes

1. Auto-generate secret (no manual input)

  • Removed manual text input from settings UI
  • "Enable Sidecar Secret" button generates 256-bit random secret via crypto.randomBytes(32)
  • Secret displayed once with copy button, never retrievable again
  • Regenerate button for existing secrets
  • Same UX pattern as API key creation

2. Cache getSidecarSecretHash()

  • In-memory cache avoids SQLite read on every /api/* request
  • Cache invalidated immediately on setSidecarSecret() and clearSidecarSecret()
  • No stale data possible — simpler than TTL
  • _resetSidecarCache() exported for testing

Testing

npm test: 164 passed, 5 skipped
npm run lint: clean

Reviewer: @luthien-m

@jimleighy
feat: sidecar secret + auto-generate + cache (#281, #338)
e9864e8 
- Sidecar secret auth middleware with bcrypt verification
- Integrated with rate limiter backoff (#336)
- Auto-generated 256-bit secret (no manual input)
- Secret shown once with copy button, never retrievable again
- Cached getSidecarSecretHash() with invalidation on set/clear
- Admin UI exempt from sidecar check

Closes #281, closes #338
All tests passing (164), lint clean.
luthien-m
luthien-m approved these changes Feb 25, 2026
View reviewed changes
Copy link
Copy Markdown
Collaborator

@luthien-m luthien-m left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clean and minimal. Exactly what the issue asked for.

Reviewed:

  • db.js — cache with invalidation on set/clear, _resetSidecarCache() for testing ✅
  • settings.js — manual input replaced with randomBytes(32).toString("hex"), returns JSON for one-time display ✅
  • settings.ejs — "Enable" / "Regenerate" / "Clear" flow, secret shown once with copy button and warning ✅
  • CI all green (build, test, lint) ✅

Minor: Secret display HTML is duplicated in both EJS branches (configured vs not). Could be a partial, but not worth blocking on.

LGTM 👍

@monteslu monteslu merged commit cfd56c0 into main Feb 25, 2026
3 checks passed
@monteslu monteslu deleted the feat/sidecar-secret-338 branch February 25, 2026 19:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@luthien-m luthien-m luthien-m approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Sidecar secret: enforce minimum entropy + cache hash lookup

3 participants

@jimleighy @luthien-m @monteslu