Closed drdaz closed 5 years ago
Can you try to put the key as the data do the buffer as a string instead of the buffer JSON object?
Can you try to put the key as the data do the buffer as a string instead of the buffer JSON object?
You mean something like this?
{"ios":
{
"token": {
"key": "45, 45, ... 45",
"keyId": "MYKEYID",
"teamId": "MYTEAMID"
},
"topic": "com.myApp",
"production": false
}
}
EDIT: Removed braces
@flovilmart If I put the data in a string as above, I get the following error:
Failed loading token key: ENAMETOOLONG: name too long, open
... I guess it interprets that as a filename.
Would it be possible for you to pass it as a path?
I don't think so; I'd have to copy the unencrypted token to the parse-server image.
I have a feeling it's syntax. I messed around with this JSON a lot trying to pass it as an environment variable into docker.
This seems to be where the magic happens in node-apn:
function resolveCredential(value) {
if (!value) {
return value;
}
if(/-----BEGIN ([A-Z\s*]+)-----/.test(value)) {
return value;
}
else if(Buffer.isBuffer(value)) {
return value;
}
else {
return fs.readFileSync(value);
}
}
Where is this line in node pan?
lib/credentials/resolve.js
That's pretty much the whole file.
right and your token does not begin by ---BEGIN...
I'd have to copy the unencrypted token to the parse-server image.
Ok that's because heroku does not properly support VOLUMES 😢
This is quite sad, would you be willing to open a PR on this repo? The strategy would be to try to JSON parse the key,and if it succeeds, create a Buffer instance with the underlying data.
My token does have a first line that matches the regex. At least in an online evaluator.:
"-----BEGIN PRIVATE KEY-----"
I guess the codepath is not taken then, did you try locally by adding some logs?
I didn't; I'm using the docker image. I should get some sleep; it's nearly midnight here 😴
I've opened a similar issue on node-apn in hope somebody can shed light on this.
Although the repo doesn't look all that active :-/
I don’t believe the issue is with node apn. At least I am not sure that the codepath you mention is taken when you provide your key this way
It might not be; I'll see if I can confirm I hit that code.
Regardless, it looks like a point where their documentation is either lacking or incorrect. While it's allegedly possible to do this, there are no instructions as to how to do so.
When you pass the JSON object of a buffer, this is not a buffer instance, as specified in the documentation.
As for Docker, you could copy the key to a file.
Do you have any cloud code?
I could copy the key. But unlike the other crypto assets used in Apple's notifications, the .p8 files for tokens don't seem to have a passworded version that I could safely include in the docker image. Unless we consider the other 2 required fields to be security enough?
I do have Cloud Code. That's where the notifications are fired :)
So you could very well write your file from an environment variable, when building the image.
ARG PUSH_TOKEN
RUN echo $PUSH_TOKEN > path/to/key.p8
Yes. But I assume the presence of that file unencrypted on the live image to be a security issue. Compromise the server, and you've got my private key.
Although now we're talking about it... I'm not sure it makes a huge difference once the server has been compromised whether the data is on the filesystem, or available as an environment variable...
As an environment variable it’s the same. if your server is compromised, it’s game over. You can password protect your private key, then use an environment variable to unlock it.
Another option that you didn’t consider is to use a config.js file.
The docker image can take a configuration. File a a JS script. This configuration can then parse part of the env vars, and create a new Buffer(process.env.PUSH_TOKEN)
Do you see what I mean?
I think I get it...
I went for the env variable option because I try and leave Parse (and all other 'off the shelf' products) as 'clean' as possible, and that seemed like the least invasive way to access the needed data. It also struck me as more secure.
I can see some of that thinking may have been a little misguided :)
So that would be pretty straightforward:
// config.js
module.exports = {
// appId: "applicationId" // not needed if you pass the environment variables ;)
// feel free to put non critical configs here
// all PARSE_SERVER_* env vars will be taken into account
push: {
ios: {
"token": {
"key": new Buffer(process.env.PUSH_KEY),
"keyId": "MYKEYID",
"teamId": "MYTEAMID"
},
"topic": "com.myApp",
"production": false
}
}
}
# Dockerfile
FROM parseplatform/parse-server
# your original dockerfile
COPY config.js ./
# Pass the entrypoint this way
ENTRYPOINT ["node", "bin/parse-server", "config.js"]
Thanks. I like that; it's definitely better than including the token in the image. This way my token isn't sitting in Heroku's repo.
As an aside, I found out yesterday (with some displeasure) that Heroku ignores ENTRYPOINT entries in Dockerfiles, and executes CMDs.
To get my Dockerfile to actually work on Heroku, I needed to include the following:
ENTRYPOINT [ ] # This to null the ENTRYPOINT from parse-server's Dockerfile
CMD ["node", "/parse-server/bin/parse-server"]
I can't for the life of me find the link containing this info now... but it's kinda tiresome they implement Docker differently 😩
To get my Dockerfile to actually work on Heroku, I needed to include the following:
this is kinda problematic. :/ One day, I wish we'd do a full documentation on docker and k8s and heroku etc...
for this you shuold then do:
ENTRYPOINT [ ] # This to null the ENTRYPOINT from parse-server's Dockerfile
CMD ["node", "/parse-server/bin/parse-server", "config.js"]
Let me know if this works? having a config.js file is also very powerful as you can now leverage js (reference modules and packages, use a middleware etc...)
It certainly works. And I can see that's a handy pattern... thanks :)
JS on the whole is still a fairly new and fascinating thing for me.
One day, I wish we'd do a full documentation on docker and k8s and heroku etc...
The fact Heroku are saying they offer Docker hosting is just wrong when their hosting behaves differently to Docker 🤷🏼♂️ I do love their service and business model though.
I'd love to hear other EU friendly suggestions as to where to run small docker apps though, that don't require you to maintain the underlying host.
Glad to hear it works!
For your question, it would be better asked on the https://community.parseplatform.org forums!
Also, would be a nice topic for the forum: »deploying to heroku with Docker »
I discovered an unfortunate feature btw; the buffer containing the token data gets dumped to the logs if VERBOSE=true. Heh.
Oooh a forum. I had no idea... nice.
I discovered an unfortunate feature btw; the buffer containing the token data gets dumped to the logs if VERBOSE=true. Heh.
Yeah that’s annoying, would you be willing to make a Pr to fix it? This is well isolated in the code
Yeah I’ll take a look at it; any pointers as to where to look are appreciated :)
On 24 Jan 2019, at 15.50, Florent Vilmart notifications@github.com wrote:
I discovered an unfortunate feature btw; the buffer containing the token data gets dumped to the logs if VERBOSE=true. Heh.
Yeah that’s annoying, would you be willing to make a Pr to fix it? This is well isolated in the code
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/parse-community/parse-server-push-adapter/issues/121#issuecomment-457223765, or mute the thread https://github.com/notifications/unsubscribe-auth/AAznowpS04JSEdFdchjwXSix9tpp_0FEks5vGcg2gaJpZM4aPlAh.
I've deployed a parse-server app in Heroku that I'd been developing locally using Docker. This app uses push notifications, and so needs access to some crypto data to play with APNs.
Locally I mounted a volume with the token key file in it. On Heroku this isn't an option, and I don't want to bundle the key in the package unencrypted. I've been trying to encode the token key in the JSON argument to the "PARSE_SERVER_PUSH" environment variable in different ways. It seems what's needed is a Buffer, but I have no idea how to represent such a thing in JSON, and I haven't found anything through some searching.
I'm currently using this at my push config:
But the server chokes on the 'key' field:
The documentation (https://github.com/node-apn/node-apn/blob/master/doc/provider.markdown) suggests it's possible to encode the token data directly in the JSON:
Any ideas?