Load secrets from files
Putting secrets into environment variables is problematic due to them being inherited by sub-processes, the ease as which these can be leaked in logs, and the lack of support for loading secrets into environment variables by systems such as systemd and docker. Change the loading of secrets to be done by loading the content of a file specified by an environment variable.
This commit is contained in:
parent
c9976af26b
commit
4444daaca9
3 changed files with 10 additions and 7 deletions
|
|
@ -3,9 +3,9 @@ export default defineNuxtConfig({
|
|||
compatibilityDate: '2024-11-01',
|
||||
devtools: { enabled: true },
|
||||
runtimeConfig: {
|
||||
cookieSecretKey: "",
|
||||
cookieSecretKeyFile: "",
|
||||
vapidSubject: "",
|
||||
vapidPrivateKey: "",
|
||||
vapidPrivateKeyFile: "",
|
||||
public: {
|
||||
defaultTimezone: "Europe/Oslo",
|
||||
vapidPublicKey: "",
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
import type { H3Event } from "h3";
|
||||
import * as fs from "node:fs/promises";
|
||||
|
||||
let cachedCookieSecret: CryptoKey;
|
||||
export async function useCookieSecret(event: H3Event) {
|
||||
|
|
@ -6,9 +7,10 @@ export async function useCookieSecret(event: H3Event) {
|
|||
return cachedCookieSecret;
|
||||
|
||||
const runtimeConfig = useRuntimeConfig(event);
|
||||
if (!runtimeConfig.cookieSecretKeyFile) throw new Error("NUXT_COOKIE_SECRET_KEY_FILE not set.");
|
||||
return cachedCookieSecret = await crypto.subtle.importKey(
|
||||
"raw",
|
||||
Buffer.from(runtimeConfig.cookieSecretKey, "base64url"),
|
||||
Buffer.from(await fs.readFile(runtimeConfig.cookieSecretKeyFile, "utf-8"), "base64url"),
|
||||
{ name: "HMAC", hash: "SHA-256" },
|
||||
false,
|
||||
["sign", "verify"],
|
||||
|
|
|
|||
|
|
@ -1,3 +1,4 @@
|
|||
import * as fs from "node:fs/promises";
|
||||
import type { H3Event } from "h3";
|
||||
import webPush from "web-push";
|
||||
import { readSubscriptions, writeSubscriptions } from "~/server/database";
|
||||
|
|
@ -8,7 +9,7 @@ let cachedVapidDetails: {
|
|||
privateKey: string,
|
||||
} | undefined;
|
||||
|
||||
function useVapidDetails(event: H3Event) {
|
||||
async function useVapidDetails(event: H3Event) {
|
||||
if (cachedVapidDetails) {
|
||||
return cachedVapidDetails;
|
||||
}
|
||||
|
|
@ -16,17 +17,17 @@ function useVapidDetails(event: H3Event) {
|
|||
const runtimeConfig = useRuntimeConfig(event);
|
||||
if (!runtimeConfig.vapidSubject) throw new Error("NUXT_VAPID_SUBJECT not set.")
|
||||
if (!runtimeConfig.public.vapidPublicKey) throw new Error("NUXT_PUBLIC_VAPID_PUBLIC_KEY not set.")
|
||||
if (!runtimeConfig.vapidPrivateKey) throw new Error("NUXT_VAPID_PRIVATE_KEY not set.")
|
||||
if (!runtimeConfig.vapidPrivateKeyFile) throw new Error("NUXT_VAPID_PRIVATE_KEY_FILE not set.")
|
||||
|
||||
return cachedVapidDetails = {
|
||||
subject: runtimeConfig.vapidSubject,
|
||||
publicKey: runtimeConfig.public.vapidPublicKey,
|
||||
privateKey: runtimeConfig.vapidPrivateKey,
|
||||
privateKey: await fs.readFile(runtimeConfig.vapidPrivateKeyFile, "utf-8"),
|
||||
}
|
||||
}
|
||||
|
||||
export async function sendPush(event: H3Event, title: string, body: string) {
|
||||
const vapidDetails = useVapidDetails(event);
|
||||
const vapidDetails = await useVapidDetails(event);
|
||||
const payload = JSON.stringify({ title, body });
|
||||
const subscriptions = await readSubscriptions();
|
||||
console.log(`Sending "${payload}" to ${subscriptions.length} subscribers`);
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue