public/owltide
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages 1 Wiki Activity Actions

Load secrets from files
All checks were successful
/ build (push) Successful in 1m8s
Details
/ deploy (push) Successful in 16s
Details

Browse source 
Putting secrets into environment variables is problematic due to them
being inherited by sub-processes, the ease as which these can be
leaked in logs, and the lack of support for loading secrets into
environment variables by systems such as systemd and docker.

Change the loading of secrets to be done by loading the content of a
file specified by an environment variable.
This commit is contained in:
Hornwitser 2025-05-20 00:43:29 +02:00
parent c9976af26b
commit 4444daaca9
3 changed files with 10 additions and 7 deletions
Download patch file Download diff file Expand all files Collapse all files

4
server/utils/signed-cookie.ts
View file

@ -1,4 +1,5 @@
import type { H3Event } from "h3";
import * as fs from "node:fs/promises";
let cachedCookieSecret: CryptoKey;
export async function useCookieSecret(event: H3Event) {
@ -6,9 +7,10 @@ export async function useCookieSecret(event: H3Event) {
return cachedCookieSecret;
const runtimeConfig = useRuntimeConfig(event);
if (!runtimeConfig.cookieSecretKeyFile) throw new Error("NUXT_COOKIE_SECRET_KEY_FILE not set.");
return cachedCookieSecret = await crypto.subtle.importKey(
"raw",
Buffer.from(runtimeConfig.cookieSecretKey, "base64url"),
Buffer.from(await fs.readFile(runtimeConfig.cookieSecretKeyFile, "utf-8"), "base64url"),
{ name: "HMAC", hash: "SHA-256" },
false,
["sign", "verify"],