From 44f146d6e147eaefb840119585bb475cd58875c3 Mon Sep 17 00:00:00 2001
From: Andrei Mihu <andrei@heroiclabs.com>
Date: Fri, 20 Sep 2024 13:35:03 +0100
Subject: [PATCH] Fix config copy operation, warn on insecure value.

---
 server/config.go | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/server/config.go b/server/config.go
index 62e048e6f..d80b69b8e 100644
--- a/server/config.go
+++ b/server/config.go
@@ -415,6 +415,9 @@ func ValidateConfig(logger *zap.Logger, c Config) map[string]string {
 
 	if k := c.GetMFA().StorageEncryptionKey; k != "" && len(k) != 32 {
 		logger.Fatal("MFA encryption key has to be 32 bits long")
+	} else if k == NewMFAConfig().StorageEncryptionKey {
+		logger.Warn("WARNING: insecure default parameter value, change this for production!", zap.String("param", "mfa.storage_encryption_key"))
+		configWarnings["mfa.storage_encryption_key"] = "Insecure default parameter value, change this for production!"
 	}
 
 	return configWarnings
@@ -529,6 +532,7 @@ func (c *config) Clone() (Config, error) {
 	configSatori := *(c.Satori)
 	configStorage := *(c.Storage)
 	configGoogleAuth := *(c.GoogleAuth)
+	configMFA := *(c.MFA)
 	nc := &config{
 		Name:             c.Name,
 		Datadir:          c.Datadir,
@@ -549,6 +553,7 @@ func (c *config) Clone() (Config, error) {
 		Satori:           &configSatori,
 		GoogleAuth:       &configGoogleAuth,
 		Storage:          &configStorage,
+		MFA:              &configMFA,
 	}
 	nc.Socket.CertPEMBlock = make([]byte, len(c.Socket.CertPEMBlock))
 	copy(nc.Socket.CertPEMBlock, c.Socket.CertPEMBlock)