apioo
Remove default FUSIO_PROJECT_KEY from .env
To improve security fusio should force the user to set an own FUSIO_PROJECT_KEY during install. There are a lot of ways to achieve this. E.g.
- Remove the default key from apioo/fusio and throw an error, if the key is empty during install
- Generating a FUSIO_PROJECT_KEY during install, if it's empty
- Add a hint in Fusio / Get started
- Leave the default key in fusioo/api, but throw an error if it's used during install (only allowed for testing?)
- ...
I think we could generate a unique project key on installation. Laravel does this also automatically on installation through a post-create-project-cmd composer hook. We could also do this in the same way so that every project automatically gets a random project key, in case its installed through composer create project.
In CPanel the project key is generated per instance, not sure about composer, but if it does now, this can be closed
So, we automatically generate a new key if you install Fusio through the install.php, if you only use the CLI you need to manually change the project key. I think it would be still a good idea to create a new post-create-project-cmd script to generate this key, so I will leave this issue open.