add option for generating random APP_KEY & SALT when setup

.env.example

@@ -37,14 +37,16 @@ PWD_METHOD = SALTED2MD5
 # Salt
 # Change it to any random string to secure your passwords & tokens.
 #
-SALT = change-it+to*what)you^like
+# You can run [php artisan salt:random] to generate a new salt.
+#
+SALT = 2c5ca184f017a9a1ffbd198ef69b0c0e
 
 # App Key should be setted to any random, **32 character** string,
 # otherwise all the encrypted strings will not be safe.
 #
 # You can run [php artisan key:generate] to generate a new key.
 #
-APP_KEY=NkccevHHNRoRBTdGZ4osmKnwdebrjCYw
+APP_KEY = base64:gkb/zouNF6UOSfnr/o+izVMS57WQS3+62YqZBuDyBhU=
 
 # Mail Configurations
 # Leave MAIL_HOST empty to disable password resetting

app/Console/Commands/KeyRandomCommand.php

@@ -0,0 +1,74 @@
+<?php
+
+namespace App\Console\Commands;
+
+use Illuminate\Console\Command;
+
+class KeyRandomCommand extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'key:random {--show : Display the key instead of modifying files}';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Set the application key';
+
+    /**
+     * Execute the console command.
+     *
+     * @return void
+     */
+    public function fire()
+    {
+        $key = $this->generateRandomKey();
+
+        if ($this->option('show')) {
+            return $this->line('<comment>'.$key.'</comment>');
+        }
+
+        // Next, we will replace the application key in the environment file so it is
+        // automatically setup for this developer. This key gets generated using a
+        // secure random byte generator and is later base64 encoded for storage.
+        $this->setKeyInEnvironmentFile($key);
+
+        $this->laravel['config']['app.key'] = $key;
+
+        $this->info("Application key [$key] set successfully.");
+    }
+
+    /**
+     * Set the application key in the environment file.
+     *
+     * @param  string  $key
+     * @return void
+     */
+    protected function setKeyInEnvironmentFile($key)
+    {
+        // Unlike Illuminate\Foundation\Console\KeyGenerateCommand,
+        // I add soame spaces to the replace pattern.
+        file_put_contents($this->laravel->environmentFilePath(), str_replace(
+            'APP_KEY = '.$this->laravel['config']['app.key'],
+            'APP_KEY = '.$key,
+            file_get_contents($this->laravel->environmentFilePath())
+        ));
+    }
+
+    /**
+     * Generate a random key for the application.
+     *
+     * @return string
+     */
+    protected function generateRandomKey()
+    {
+        return 'base64:'.base64_encode(random_bytes(
+            $this->laravel['config']['app.cipher'] == 'AES-128-CBC' ? 16 : 32
+        ));
+    }
+}

app/Console/Commands/SaltRandomCommand.php

@@ -0,0 +1,70 @@
+<?php
+
+namespace App\Console\Commands;
+
+use Illuminate\Console\Command;
+
+class SaltRandomCommand extends Command
+{
+    /**
+     * The name and signature of the console command.
+     *
+     * @var string
+     */
+    protected $signature = 'salt:random {--show : Display the salt instead of modifying files}';
+
+    /**
+     * The console command description.
+     *
+     * @var string
+     */
+    protected $description = 'Set the application salt';
+
+    /**
+     * Execute the console command.
+     *
+     * @return void
+     */
+    public function fire()
+    {
+        $salt = $this->generateRandomSalt();
+
+        if ($this->option('show')) {
+            return $this->line('<comment>'.$salt.'</comment>');
+        }
+
+        // Next, we will replace the application salt in the environment file so it is
+        // automatically setup for this developer. This salt gets generated using a
+        // secure random byte generator and is later base64 encoded for storage.
+        $this->setKeyInEnvironmentFile($salt);
+
+        $this->laravel['config']['secure.salt'] = $salt;
+
+        $this->info("Application salt [$salt] set successfully.");
+    }
+
+    /**
+     * Set the application salt in the environment file.
+     *
+     * @param  string  $salt
+     * @return void
+     */
+    protected function setKeyInEnvironmentFile($salt)
+    {
+        file_put_contents($this->laravel->environmentFilePath(), str_replace(
+            'SALT = '.$this->laravel['config']['secure.salt'],
+            'SALT = '.$salt,
+            file_get_contents($this->laravel->environmentFilePath())
+        ));
+    }
+
+    /**
+     * Generate a random salt for the application.
+     *
+     * @return string
+     */
+    protected function generateRandomSalt()
+    {
+        return bin2hex(random_bytes(16));
+    }
+}

app/Console/Kernel.php

@@ -14,6 +14,8 @@ class Kernel extends ConsoleKernel
      */
     protected $commands = [
         Commands\Inspire::class,
+        Commands\KeyRandomCommand::class,
+        Commands\SaltRandomCommand::class,
     ];
 
     /**

app/Http/Controllers/SetupController.php

@@ -33,14 +33,6 @@ class SetupController extends Controller
         } else {
             $config = config('database.connections.mysql');
 
-            // generate new APP_KEY
-            if (is_writable(app()->environmentFile())) {
-                Artisan::call('key:generate');
-                Log::info("[SetupWizard] Application key set successfully.", ['key' => config('app.key')]);
-            } else {
-                Log::warning("[SetupWizard] Failed to set application key. No write permission.");
-            }
-
             return view('setup.wizard.welcome')->with('server', "{$config['username']}@{$config['host']}");
         }
     }
@@ -66,6 +58,21 @@ class SetupController extends Controller
             'site_name' => 'required'
         ]);
 
+        if (isset($_POST['generate_random'])) {
+            // generate new APP_KEY & SALT randomly
+            if (is_writable(app()->environmentFile())) {
+                Artisan::call('key:random');
+                Artisan::call('salt:random');
+
+                Log::info("[SetupWizard] Random application key & salt set successfully.", [
+                    'key'  => config('app.key'),
+                    'salt' => config('secure.salt')
+                ]);
+            } else {
+                Log::warning("[SetupWizard] Failed to set application key. No write permission.");
+            }
+        }
+
         // create tables
         Artisan::call('migrate', ['--force' => true]);
         Log::info("[SetupWizard] Tables migrated.");

resources/lang/en/setup.yml

@@ -51,6 +51,8 @@ wizard:
     confirm-pwd: Confirm password
     site-name: Site name
     site-name-notice: This will be shown at title bar and homepage.
+    secure: Security
+    secure-notice: Generate random APP_KEY and SALT to make your site secured.
 
   finish:
     title: Installation complete

resources/lang/zh_CN/setup.yml

@@ -51,6 +51,8 @@ wizard:
     confirm-pwd: 重复密码
     site-name: 站点名称
     site-name-notice: 将会显示在首页以及标题栏
+    secure: 站点安全
+    secure-notice: 生成随机 APP_KEY 和 SALT 以保证安全
 
   finish:
     title: 安装成功！

resources/views/setup/wizard/info.tpl

@@ -36,6 +36,15 @@
                 <p>{{ trans('setup.wizard.info.site-name-notice') }}</p>
             </td>
         </tr>
+        <tr>
+            <th scope="row"><label for="generate_random">{{ trans('setup.wizard.info.secure') }}</label></th>
+            <td>
+                <label for="generate_random">
+                    <input name="generate_random" type="checkbox" id="generate_random" size="25" value="on" />
+                    {{ trans('setup.wizard.info.secure-notice') }}
+                </label>
+            </td>
+        </tr>
     </table>
 
     @if (count($errors) > 0)