Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat(electric): Try decoding the JWT key using base64 only when the config option is set #1168

Merged
merged 4 commits into from
Apr 22, 2024
Merged

feat(electric): Try decoding the JWT key using base64 only when the config option is set #1168

merged 4 commits into from
Apr 22, 2024

Conversation

alco
Copy link
Member

@alco alco commented Apr 18, 2024
edited

This reverts the change introduced in the 0.9.3 release where the configured signing key would get automatically decoded if it looked like a valid base64-encoded string. That change has caused unintended problems to arise for users of Supabase Auth since its secret keys are base64-encoded but are meant to be used as is.

This PR introduces a separate configuration option AUTH_JWT_KEY_IS_BASE64_ENCODED. Corresponding doc update - #1169.

@linear Linear
Copy link

linear bot commented Apr 18, 2024

VAX-1738 Supabase Auth JWT Key

@alco alco mentioned this pull request Apr 18, 2024
Merged
@alco alco requested a review from magnetised April 22, 2024 08:57
magnetised
magnetised approved these changes Apr 22, 2024
View reviewed changes
Copy link
Contributor

@magnetised magnetised left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

eventually we can just reduce the entire app to env vars. 🥇

components/electric/test/electric/config_test.exs
@@ -72,6 +79,7 @@ defmodule Electric.ConfigTest do
validate_auth_config("secure",
alg: {"AUTH_JWT_ALG", "HS256"},
key: {"AUTH_JWT_KEY", String.duplicate(".", 32)},
key_is_base64_encoded: {"AUTH_JWT_KEY_IS_BASE64_ENCODED", false},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we could just leave this explicit setting of this flag out to test the default behaviour, or add an explicit test for the default behaviour

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The default behaviour is to accept a string of sufficient length regardless of its encoding. This is already verified in the first assertion in this test, to the extent that the config with key_is_base64_encoded omitted from it is deemed valid.

The actual key decoding behaviour is tested in Auth.SecureTest.

@alco
Copy link
Member Author

alco commented Apr 22, 2024

eventually we can just reduce the entire app to env vars. 🥇

We could already benefit from using a hierarchical configuration language like TOML. It'll become more pressing as we add more configuration options to Electric over time.

@alco alco merged commit 27fcdfc into main Apr 22, 2024
5 checks passed
@alco alco deleted the alco/vax-1738-base64-encoded-jwt-key branch April 22, 2024 12:44
@alco alco mentioned this pull request Apr 22, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@magnetised magnetised magnetised approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@alco @magnetised