`shuffle-salts` doesn't regenerate `WP_CACHE_KEY_SALT` about config-command HOT 12 CLOSED

I like that idea! I'm not sure about the syntax, though, I don't like adding an arbitrary flag to config set like that.

How about this:

wp config shuffle-salts [--key=<key>] [--force]

<key> is the specific key to shuffle. core-group or something similar could be a value to denote the default ones, and it could be set as the default value for --key to cover BC.

--force would basically mean "update if it exists or create if it doesn't exist".

from config-command.

@schlessera Didn't think of that, good point. Behind a flag would be great. But what about taking it a step further and adding a flag to generate a salt for anything? For example, setting a JWT secret:

wp config set JWT_SECRET --salt

or to regenerate the cache key:

wp config set WP_CACHE_KEY_SALT --salt

Being able to generate secure strings for anything would be fantastic

from config-command.

It's more about semantics: "shuffle" implies that there is something already there to shuffle.

from config-command.

I just added a PR that makes shuffle-salts accept positional arguments for cache keys to shuffle. So while this still does not shuffle the cache key salt by default (which I think is not a safe default as explained above), it allows you to shuffle it easily with the single command: wp config shuffle-salt WP_CACHE_KEY_SALT.

Adding --force will generate it as needed if it is not yet present.

from config-command.

I helped myself with first wp config shuffle-salts and then
wp config set WP_CACHE_KEY_SALT '$WP_CACHE_KEY_SALT'
Is there a better (shorter) way?

from config-command.

Hit this again today. Would very much like to be able to generate WP_CACHE_KEY_SALT with wp cli.

What do we need to do to unblock this task?

Core folks are aggressively nope-ing out on this one:
https://meta.trac.wordpress.org/ticket/3678
https://core.trac.wordpress.org/ticket/44425

from config-command.

This would be very helpful to have included even if you had to include the key specifically when you ran the command.

wp config shuffle-salts --key=WP_CACHE_KEY_SALT

from config-command.

@tillkruss Does not look like they have https://github.com/wp-cli/config-command/pulls

from config-command.

I'm not sure we should shuffle the cache key salt by default, because:

• it will invalidate the entire caching subsystem, maybe leading to a cache stampede.
• it might be set to a very specific value to coordinate multiple servers using the same cache.

I'm open to adding this behind a separate flag, but I don't think it should be part of the default behavior.

from config-command.

Nice! Would --force be necessary though? Specifying any key other than core-group could either replace an existing key's value with a new salt, or create the key if it doesn't. Similar to how wp config set works.

from config-command.

@lukecav has anyone opened a PR on this?

from config-command.

@schlessera
I tried running that command and it does not work.
Maybe a typo on shuffle-salt - shuffle-salts?
Also with salts i got the "Success: Shuffled the salt keys." but no WP_CACHE_KEY_SALT generated.
This is the command I am running:
wp config shuffle-salts WP_CACHE_KEY_SALT --force --allow-root
And this is affecting all salts but not the WP_CACHE_KEY_SALT that is not shuffled at all.
It works the same for other salts:
wp config shuffle-salts NONCE_SALT --force --allow-root
That one shuffle all salts

I have no idea but maybe it needs to be added to the default list:

from config-command.