feat: auto-generate random BROKER_JWT_SECRET if not provided

echobt · echobt · commit d7be22bfe9d5 · 2026-01-04T21:14:57.000Z
- validator-node generates random UUID as JWT secret on startup
- Sets BROKER_JWT_SECRET env var so challenge-orchestrator uses same secret
- challenge-orchestrator uses OnceLock for consistent secret across all containers
- Ensures broker always requires JWT auth for security
diff --git a/bins/validator-node/src/main.rs b/bins/validator-node/src/main.rs
@@ -347,9 +347,19 @@ async fn main() -> Result<()> {
     // Container broker
     info!("Container broker on port {}...", args.broker_port);
     let broker = Arc::new(ContainerBroker::with_policy(SecurityPolicy::default()).await?);
+
+    // Use provided JWT secret or generate a random one for this session
+    let jwt_secret = args.broker_jwt_secret.clone().unwrap_or_else(|| {
+        let secret = uuid::Uuid::new_v4().to_string();
+        info!("Generated random BROKER_JWT_SECRET for this session");
+        // Set env var so challenge-orchestrator uses the same secret
+        std::env::set_var("BROKER_JWT_SECRET", &secret);
+        secret
+    });
+
     let ws_config = WsConfig {
         bind_addr: format!("0.0.0.0:{}", args.broker_port),
-        jwt_secret: args.broker_jwt_secret.clone(),
+        jwt_secret: Some(jwt_secret),
         allowed_challenges: vec![],
         max_connections_per_challenge: 10,
     };
diff --git a/crates/challenge-orchestrator/src/docker.rs b/crates/challenge-orchestrator/src/docker.rs
@@ -600,26 +600,33 @@ impl DockerClient {
             platform_host, broker_port
         ));
 
-        // Pass JWT token for broker authentication (if set)
-        if let Ok(jwt_secret) = std::env::var("BROKER_JWT_SECRET") {
-            // Generate a JWT token for this challenge
-            // Token includes challenge_id and validator_hotkey for authorization
-            let challenge_id = config.challenge_id.to_string();
-            let owner_id =
-                std::env::var("VALIDATOR_HOTKEY").unwrap_or_else(|_| "unknown".to_string());
-
-            // Use secure_container_runtime to generate token (3600s = 1 hour TTL)
-            if let Ok(token) = secure_container_runtime::generate_token(
-                &challenge_id,
-                &owner_id,
-                &jwt_secret,
-                3600,
-            ) {
-                env.push(format!("CONTAINER_BROKER_JWT={}", token));
-                debug!(challenge = %config.name, "Generated broker JWT token");
-            } else {
-                warn!(challenge = %config.name, "Failed to generate broker JWT token");
-            }
+        // Pass JWT token for broker authentication
+        // Use BROKER_JWT_SECRET if set, otherwise generate a random one
+        let jwt_secret = std::env::var("BROKER_JWT_SECRET").unwrap_or_else(|_| {
+            use std::sync::OnceLock;
+            static RANDOM_SECRET: OnceLock<String> = OnceLock::new();
+            RANDOM_SECRET
+                .get_or_init(|| {
+                    let secret = uuid::Uuid::new_v4().to_string();
+                    info!("Generated random BROKER_JWT_SECRET for this session");
+                    secret
+                })
+                .clone()
+        });
+
+        // Generate a JWT token for this challenge
+        // Token includes challenge_id and validator_hotkey for authorization
+        let challenge_id = config.challenge_id.to_string();
+        let owner_id = std::env::var("VALIDATOR_HOTKEY").unwrap_or_else(|_| "unknown".to_string());
+
+        // Use secure_container_runtime to generate token (3600s = 1 hour TTL)
+        if let Ok(token) =
+            secure_container_runtime::generate_token(&challenge_id, &owner_id, &jwt_secret, 3600)
+        {
+            env.push(format!("CONTAINER_BROKER_JWT={}", token));
+            debug!(challenge = %config.name, "Generated broker JWT token");
+        } else {
+            warn!(challenge = %config.name, "Failed to generate broker JWT token");
         }
 
         // Create container config
