Open sweatybridge opened 1 year ago
GoTrue has just too many secrets, it doesn't make sense to do this for each one.
I'm considering adding a GOTRUE_ENV_SECRETS_FILE
in which you can specify secrets as environment variables:
GOTRUE_JWT_SECRET=abcdef
Does that make sense?
For secrets only used by gotrue, I think it's ok to store them in a single file. Since JWT_SECRET
may be used by other services to decode auth token independently, it might be more useful to put it into a separate file. Also for secret rotation, it will be quite helpful to have them defined separately.
If there are too many secrets, I think it's ok to have one file for a start, then move specific ones out when the use case comes up.
any progress on, or plan to implement this?
db creds are (imo) the biggest upside as far as toil-reduction/security exposure.
Feature request
Is your feature request related to a problem? Please describe.
It would be great if gotrue supported Docker Secrets, and
*_FILE
versions of the variables that hold secrets, so that we can pass a secrets file vs. the raw value:The current
GOTRUE_JWT_SECRET
variable could still be supported alongsideGOTRUE_JWT_SECRET_FILE
, and the same for all other secrets. This would let current code continue to work, but migrate to a more secure method of injecting secrets.Describe the solution you'd like
A clear and concise description of what you want to happen.
Describe alternatives you've considered
entrypoint approach was rejected https://github.com/supabase/gotrue/pull/642
Additional context
upstream issue https://github.com/supabase/supabase/issues/6014