From 662c7860fe1368a804dc367c54ffe83c5800f252 Mon Sep 17 00:00:00 2001 From: Erhnysr Date: Wed, 20 May 2026 13:19:42 +0300 Subject: [PATCH 1/2] fix: remove hardcoded Engine API JWT secret and require explicit configuration The default BASE_NODE_L2_ENGINE_AUTH_RAW value was a well-known public hex string committed in the repository. Because authrpc binds to 0.0.0.0, any operator using host networking, Kubernetes, custom port mappings, or shared Docker networks was exposed to unauthenticated Engine API access. - Remove the hardcoded secret from .env.mainnet and .env.sepolia; replace with a placeholder that instructs operators to generate their own value using `openssl rand -hex 32` - Add validation in all three entrypoint scripts (reth-entrypoint, base-consensus-entrypoint, op-node-entrypoint) that exits with a clear error message if BASE_NODE_L2_ENGINE_AUTH_RAW is unset or still holds the placeholder value - Document BASE_NODE_L2_ENGINE_AUTH_RAW as a required field in README.md Fixes #1086 Co-Authored-By: Claude Sonnet 4.6 --- .env.mainnet | 4 +++- .env.sepolia | 4 +++- README.md | 7 +++++++ base-consensus-entrypoint | 6 ++++++ op-node-entrypoint | 6 ++++++ reth/reth-entrypoint | 7 +++++++ 6 files changed, 32 insertions(+), 2 deletions(-) diff --git a/.env.mainnet b/.env.mainnet index c5bd040b5..4a89f19d1 100644 --- a/.env.mainnet +++ b/.env.mainnet @@ -42,7 +42,9 @@ OP_NODE_L2_ENGINE_RPC=http://execution:8551 BASE_NODE_L2_ENGINE_RPC=ws://execution:8551 BASE_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt -BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a +# [REQUIRED] Set this to a secret hex string shared by the execution and consensus containers. +# Generate one with: openssl rand -hex 32 +BASE_NODE_L2_ENGINE_AUTH_RAW= # P2P CONFIGURATION # --------------- diff --git a/.env.sepolia b/.env.sepolia index cb9a8b545..d5c521759 100644 --- a/.env.sepolia +++ b/.env.sepolia @@ -42,7 +42,9 @@ OP_NODE_L2_ENGINE_RPC=ws://execution:8551 BASE_NODE_L2_ENGINE_RPC=http://execution:8551 BASE_NODE_L2_ENGINE_AUTH=/tmp/engine-auth-jwt -BASE_NODE_L2_ENGINE_AUTH_RAW=688f5d737bad920bdfb2fc2f488d6b6209eebda1dae949a8de91398d932c517a +# [REQUIRED] Set this to a secret hex string shared by the execution and consensus containers. +# Generate one with: openssl rand -hex 32 +BASE_NODE_L2_ENGINE_AUTH_RAW= # P2P CONFIGURATION # --------------- diff --git a/README.md b/README.md index 1cbaad17d..90b36786d 100644 --- a/README.md +++ b/README.md @@ -83,6 +83,13 @@ Supported clients: ### Required Settings +- Engine API JWT Secret: + - `BASE_NODE_L2_ENGINE_AUTH_RAW`: A 32-byte hex secret shared between the execution and consensus containers. **You must generate this yourself — do not use a public or default value.** + ```bash + openssl rand -hex 32 + ``` + Set the output as `BASE_NODE_L2_ENGINE_AUTH_RAW` in your `.env` file. Both containers must use the same value. + - L1 Configuration: - `OP_NODE_L1_ETH_RPC`: Your Ethereum L1 node RPC endpoint - `OP_NODE_L1_BEACON`: Your L1 beacon node endpoint diff --git a/base-consensus-entrypoint b/base-consensus-entrypoint index cd2801fce..d4c52846c 100755 --- a/base-consensus-entrypoint +++ b/base-consensus-entrypoint @@ -42,6 +42,12 @@ else fi export BASE_NODE_P2P_ADVERTISE_IP=$PUBLIC_IP +if [[ -z "${BASE_NODE_L2_ENGINE_AUTH_RAW:-}" || "${BASE_NODE_L2_ENGINE_AUTH_RAW}" == "" ]]; then + echo "ERROR: BASE_NODE_L2_ENGINE_AUTH_RAW is not set." >&2 + echo "Generate a secret and set it in your .env file:" >&2 + echo " BASE_NODE_L2_ENGINE_AUTH_RAW=\$(openssl rand -hex 32)" >&2 + exit 1 +fi echo "$BASE_NODE_L2_ENGINE_AUTH_RAW" > "$BASE_NODE_L2_ENGINE_AUTH" if [[ -n "${BASE_NODE_SOURCE_L2_RPC:-}" ]]; then diff --git a/op-node-entrypoint b/op-node-entrypoint index 893015882..076c4bb93 100755 --- a/op-node-entrypoint +++ b/op-node-entrypoint @@ -43,6 +43,12 @@ fi export OP_NODE_P2P_ADVERTISE_IP=$PUBLIC_IP +if [[ -z "${BASE_NODE_L2_ENGINE_AUTH_RAW:-}" || "${BASE_NODE_L2_ENGINE_AUTH_RAW}" == "" ]]; then + echo "ERROR: BASE_NODE_L2_ENGINE_AUTH_RAW is not set." >&2 + echo "Generate a secret and set it in your .env file:" >&2 + echo " BASE_NODE_L2_ENGINE_AUTH_RAW=\$(openssl rand -hex 32)" >&2 + exit 1 +fi echo "$BASE_NODE_L2_ENGINE_AUTH_RAW" > "$BASE_NODE_L2_ENGINE_AUTH" export OP_NODE_L2_ENGINE_AUTH=$BASE_NODE_L2_ENGINE_AUTH diff --git a/reth/reth-entrypoint b/reth/reth-entrypoint index cea226016..2dde35472 100755 --- a/reth/reth-entrypoint +++ b/reth/reth-entrypoint @@ -129,6 +129,13 @@ fi mkdir -p "$RETH_DATA_DIR" echo "Starting reth with additional args: $ADDITIONAL_ARGS" + +if [[ -z "${BASE_NODE_L2_ENGINE_AUTH_RAW:-}" || "${BASE_NODE_L2_ENGINE_AUTH_RAW}" == "" ]]; then + echo "ERROR: BASE_NODE_L2_ENGINE_AUTH_RAW is not set." >&2 + echo "Generate a secret and set it in your .env file:" >&2 + echo " BASE_NODE_L2_ENGINE_AUTH_RAW=\$(openssl rand -hex 32)" >&2 + exit 1 +fi echo "$BASE_NODE_L2_ENGINE_AUTH_RAW" > "$BASE_NODE_L2_ENGINE_AUTH" exec "$BINARY" node \ From e917d59d6bef581f1b7e2783f8c2a38f583471c2 Mon Sep 17 00:00:00 2001 From: Erhnysr Date: Wed, 20 May 2026 20:11:06 +0300 Subject: [PATCH 2/2] fix: add JWT secret validation to geth-entrypoint geth/geth-entrypoint was missing the same BASE_NODE_L2_ENGINE_AUTH_RAW validation added to reth-entrypoint, base-consensus-entrypoint, and op-node-entrypoint. Without this check, geth nodes using the default or placeholder secret would silently start with a public JWT. Co-Authored-By: Claude Sonnet 4.6 --- geth/geth-entrypoint | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/geth/geth-entrypoint b/geth/geth-entrypoint index b598cb3f4..8f32fc837 100755 --- a/geth/geth-entrypoint +++ b/geth/geth-entrypoint @@ -28,6 +28,12 @@ fi mkdir -p $GETH_DATA_DIR +if [[ -z "${BASE_NODE_L2_ENGINE_AUTH_RAW:-}" || "${BASE_NODE_L2_ENGINE_AUTH_RAW}" == "" ]]; then + echo "ERROR: BASE_NODE_L2_ENGINE_AUTH_RAW is not set." >&2 + echo "Generate a secret and set it in your .env file:" >&2 + echo " BASE_NODE_L2_ENGINE_AUTH_RAW=\$(openssl rand -hex 32)" >&2 + exit 1 +fi echo "$BASE_NODE_L2_ENGINE_AUTH_RAW" > "$BASE_NODE_L2_ENGINE_AUTH" if [ "${OP_GETH_ETH_STATS+x}" = x ]; then