Closed hansy closed 3 years ago
hey @hansy , the secret is available in your database, run show app.settings.jwt_secret;
in the SQL editor to view it
there is no ability to set it yet (you could set this value in the database but it would not update on the supabase api server yet, we should build this capability in)
we should build this capability in
For a first step we could even just expose it (read only) so that devs can get it easily. Should we put it down in the "Settings" section with the API keys? Or in the "Auth" section?
My initial thought is in the "Settings" - down where the developers will live. The "Auth" section might be more "business user" config
As long as devs know how to get the secret (via the SQL editor is more than fine), this isn't a huge priority. Thanks for yall's prompt response.
This might be a separate discussion but I can't seem to validate a token signature with the secret obtained from the editor. And this even after turning the secret back into a byte array (the way GoTrue signs the tokens: https://github.com/netlify/gotrue/blob/c2a56b766367217c280c80851d79af68f0031a5a/api/token.go#L166).
package main
import (
"fmt"
"github.com/dgrijalva/jwt-go"
)
var jwtSecret = []byte("secret")
var token = "<ACCESS TOKEN HERE>"
func VerifyToken(tokenString string) (c jwt.MapClaims, err error) {
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return jwtSecret, nil
})
if !token.Valid {
return
}
tokenMap, _ := token.Claims.(jwt.MapClaims)
return tokenMap, err
}
func main() {
fmt.Println(VerifyToken(token)) // Prints: map[] signature is invalid
}
If anyone knows off the top of their head what I'm doing wrong, direction would be appreciated. Otherwise I'll plug away at this and report my findings for anyone else interested in using the JWT secret for signature verification.
@phamhieu could we expose this in a new panel on the API settings? (read only for now)
@awalias any thoughts on the signature validation? Can you replicate on GoTrue?
@hansy your code works for me.
@kiwicopple I will update the UI to show JWT secret
@phamhieu huh weird it didn't for me, but I'll take your word for it. That's good news! Thanks for your help!
Also the UI is showing the secret now @hansy - Hiue made the updates a few days back.
If you're happy with this, feel free to close!
Closing for now - feel free to reopen
Is there any way to get the JWT secret during local development? My hosted version of supabase shows the JWT secret with show app.settings.jwt_secret;
, but my local version does not.
ERROR: unrecognized configuration parameter "app.settings.jwt_secret"
@RobertB4 it's undocumented, but the local dev's JWT secret is hardcoded to super-secret-jwt-token-with-at-least-32-characters-long
.
@soedirgo thank you so much, I saw that on the console and didn't even bothered to think it was that 😄
I got in touch with Supabase support. If you're using the Supabase CLI, the environment variable you must set in .env
is SUPABASE_AUTH_JWT_SECRET
.
$ grep JWT_SECRET .env
SUPABASE_AUTH_JWT_SECRET=something-boring-and-repetitive-boring-and-repetitive
$ yarn run supabase stop; yarn run supabase start
[...]
Started supabase local development setup.
API URL: http://localhost:54321
GraphQL URL: http://localhost:54321/graphql/v1
DB URL: postgresql://postgres:postgres@localhost:54322/postgres
Studio URL: http://localhost:54323
Inbucket URL: http://localhost:54324
JWT secret: something-boring-and-repetitive-boring-and-repetitive
You can then use the form at https://supabase.com/docs/guides/self-hosting#api-keys to compute ANON_KEY
.
I'm able to set the JWT secret via the UI for a hosted instance but not via the SQL Editor (getting ERROR: 42501: permission denied to set parameter "app.settings.jwt_secret"
) when running:
alter database postgres
set
"app.settings.jwt_secret" to 'super-secret-jwt-token-with-at-least-32-characters-long';
Question
Is there a way to get or set the secret used to sign the JWT access tokens? My use case is to use the Supabase-generated tokens for authorization in other micro-services, so having the secret will help verify their signatures.