Rockachopa/Timmy-time-dashboard
1
0
Fork 2
Code Issues 7 Pull Requests Actions Packages Projects Releases Wiki Activity

sec: add startup warnings for default L402 secrets

Browse Source 
- payment_handler.py: warn when L402_HMAC_SECRET uses default value
- l402_proxy.py: warn when L402_MACAROON_SECRET uses default value
- .env.example: document L402_HMAC_SECRET, L402_MACAROON_SECRET, and
  LIGHTNING_BACKEND with generation instructions

These warnings ensure operators are alerted before deploying with
insecure default secrets.
This commit is contained in:
Manus AI
2026-02-21 13:46:12 -05:00
parent 2e055635a8
commit f2481010f9
3 changed files with 29 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
.env.example
View File

@@ -21,3 +21,14 @@
# AirLLM model size (default: 70b).
# 8b ~16 GB RAM | 70b ~140 GB RAM | 405b ~810 GB RAM
# AIRLLM_MODEL_SIZE=70b
# ── L402 Lightning secrets ───────────────────────────────────────────────────
# HMAC secret for invoice verification. MUST be changed in production.
# Generate with: python3 -c "import secrets; print(secrets.token_hex(32))"
# L402_HMAC_SECRET=<your-secret-here>
# HMAC secret for macaroon signing. MUST be changed in production.
# L402_MACAROON_SECRET=<your-secret-here>
# Lightning backend: "mock" (default) | "lnd"
# LIGHTNING_BACKEND=mock

12
src/timmy_serve/l402_proxy.py
View File

@@ -22,9 +22,15 @@ from timmy_serve.payment_handler import payment_handler
logger = logging.getLogger(__name__)
_MACAROON_SECRET = os.environ.get(
"L402_MACAROON_SECRET", "timmy-macaroon-secret"
).encode()
_MACAROON_SECRET_DEFAULT = "timmy-macaroon-secret"
_MACAROON_SECRET_RAW = os.environ.get("L402_MACAROON_SECRET", _MACAROON_SECRET_DEFAULT)
_MACAROON_SECRET = _MACAROON_SECRET_RAW.encode()
if _MACAROON_SECRET_RAW == _MACAROON_SECRET_DEFAULT:
logger.warning(
"SEC: L402_MACAROON_SECRET is using the default value — set a unique "
"secret in .env before deploying to production."
)
@dataclass

10
src/timmy_serve/payment_handler.py
View File

@@ -20,7 +20,15 @@ from typing import Optional
logger = logging.getLogger(__name__)
# Secret key for HMAC-based invoice verification (mock mode)
_HMAC_SECRET = os.environ.get("L402_HMAC_SECRET", "timmy-sovereign-sats").encode()
_HMAC_SECRET_DEFAULT = "timmy-sovereign-sats"
_HMAC_SECRET_RAW = os.environ.get("L402_HMAC_SECRET", _HMAC_SECRET_DEFAULT)
_HMAC_SECRET = _HMAC_SECRET_RAW.encode()
if _HMAC_SECRET_RAW == _HMAC_SECRET_DEFAULT:
logger.warning(
"SEC: L402_HMAC_SECRET is using the default value — set a unique "
"secret in .env before deploying to production."
)
@dataclass