config: Validate that shared_key does not contain whitespace

config/options.go

@@ -414,6 +414,10 @@ func (o *Options) Validate() error {
 		return errors.New("config: shared-key cannot be empty")
 	}
 
+	if o.SharedKey != strings.TrimSpace(o.SharedKey) {
+		return errors.New("config: shared-key contains whitespace")
+	}
+
 	if o.AuthenticateURLString != "" {
 		u, err := urlutil.ParseAndValidateURL(o.AuthenticateURLString)
 		if err != nil {

config/options_test.go

@@ -279,6 +279,7 @@ func Test_NewOptionsFromConfigEnvVar(t *testing.T) {
 		{"bad cert key base64", map[string]string{"CERTIFICATE_KEY": "bad cert", "SHARED_SECRET": "YixWi1MYh77NMECGGIJQevoonYtVF+ZPRkQZrrmeRqM="}, true},
 		{"bad no certs no insecure mode set", map[string]string{"SHARED_SECRET": "YixWi1MYh77NMECGGIJQevoonYtVF+ZPRkQZrrmeRqM="}, true},
 		{"good disable headers ", map[string]string{"HEADERS": "disable:true", "INSECURE_SERVER": "true", "SHARED_SECRET": "YixWi1MYh77NMECGGIJQevoonYtVF+ZPRkQZrrmeRqM="}, false},
+		{"bad whitespace in secret", map[string]string{"INSECURE_SERVER": "true", "SERVICES": "authenticate", "SHARED_SECRET": "YixWi1MYh77NMECGGIJQevoonYtVF+ZPRkQZrrmeRqM=\n"}, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {

docs/docs/CHANGELOG.md

@@ -9,6 +9,7 @@
 - Added yaml tags to all options struct fields
   - [GH-394](https://github.com/pomerium/pomerium/pull/394)
   - [GH-397](https://github.com/pomerium/pomerium/pull/397)
+- Improved config validation for `shared_secret` [GH-427](https://github.com/pomerium/pomerium/pull/427)
 
 ### Fixed