Persist jwt_secret in config file (#5353)

Co-authored-by: openhands <openhands@all-hands.dev>

README.md

@@ -45,10 +45,11 @@ system requirements and more information.
 ```bash
 docker pull docker.all-hands.dev/all-hands-ai/runtime:0.15-nikolaik
 
-docker run -it --pull=always \
+docker run -it --rm --pull=always \
     -e SANDBOX_RUNTIME_CONTAINER_IMAGE=docker.all-hands.dev/all-hands-ai/runtime:0.15-nikolaik \
     -e LOG_ALL_EVENTS=true \
     -v /var/run/docker.sock:/var/run/docker.sock \
+    -v ~/.openhands:/home/openhands/.openhands \
     -p 3000:3000 \
     --add-host host.docker.internal:host-gateway \
     --name openhands-app \

containers/app/Dockerfile

@@ -42,6 +42,8 @@ ENV USE_HOST_NETWORK=false
 ENV WORKSPACE_BASE=/opt/workspace_base
 ENV OPENHANDS_BUILD_VERSION=$OPENHANDS_BUILD_VERSION
 ENV SANDBOX_USER_ID=0
+ENV FILE_STORE=local
+ENV FILE_STORE_PATH=~/.openhands
 RUN mkdir -p $WORKSPACE_BASE
 
 RUN apt-get update -y \

openhands/core/config/app_config.py

@@ -1,4 +1,3 @@
-import uuid
 from dataclasses import dataclass, field, fields, is_dataclass
 from typing import ClassVar
 
@@ -66,7 +65,7 @@ class AppConfig:
     modal_api_token_id: str = ''
     modal_api_token_secret: str = ''
     disable_color: bool = False
-    jwt_secret: str = uuid.uuid4().hex
+    jwt_secret: str = ''
     attach_session_middleware_class: str = (
         'openhands.server.middleware.AttachSessionMiddleware'
     )

openhands/core/config/utils.py

@@ -5,6 +5,7 @@ import platform
 from dataclasses import is_dataclass
 from types import UnionType
 from typing import Any, MutableMapping, get_args, get_origin
+from uuid import uuid4
 
 import toml
 from dotenv import load_dotenv
@@ -19,7 +20,10 @@ from openhands.core.config.config_utils import (
 from openhands.core.config.llm_config import LLMConfig
 from openhands.core.config.sandbox_config import SandboxConfig
 from openhands.core.config.security_config import SecurityConfig
+from openhands.storage import get_file_store
+from openhands.storage.files import FileStore
 
+JWT_SECRET = '.jwt_secret'
 load_dotenv()
 
 
@@ -195,6 +199,16 @@ def load_from_toml(cfg: AppConfig, toml_file: str = 'config.toml'):
         )
 
 
+def get_or_create_jwt_secret(file_store: FileStore) -> str:
+    try:
+        jwt_secret = file_store.read(JWT_SECRET)
+        return jwt_secret
+    except FileNotFoundError:
+        new_secret = uuid4().hex
+        file_store.write(JWT_SECRET, new_secret)
+        return new_secret
+
+
 def finalize_config(cfg: AppConfig):
     """More tweaks to the config after it's been loaded."""
     if cfg.workspace_base is not None:
@@ -223,6 +237,11 @@ def finalize_config(cfg: AppConfig):
     if cfg.cache_dir:
         pathlib.Path(cfg.cache_dir).mkdir(parents=True, exist_ok=True)
 
+    if not cfg.jwt_secret:
+        cfg.jwt_secret = get_or_create_jwt_secret(
+            get_file_store(cfg.file_store, cfg.file_store_path)
+        )
+
 
 # Utility function for command line --group argument
 def get_llm_config_arg(