New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't require KEY
or SECRET
to be set on startup
#22320
Conversation
🦋 Changeset detectedLatest commit: 25e0b9a The changes in this PR will be included in the next version bump. This PR includes changesets to release 3 packages
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
KEY
or SECRET
to be set on startup
Co-authored-by: Pascal Jufer <[email protected]>
Co-authored-by: Pascal Jufer <[email protected]>
This comment was marked as resolved.
This comment was marked as resolved.
I think it would still be good to explicitly warn users when the Similar to the auto-generated admin email/password when bootstrapping a new Directus project:
We should also a log which secret was generated so the user can potentially use the same database without having to redo the hashed passwords of users.
|
Such a warning has already been implemented, see https://github.com/directus/directus/pull/22320/files#diff-8b022aa0e0965067888eadfbc456aade35f80d85aafe1e05f5fdbb060f900653R19-R21.
I like that idea 👍 Would be in line with the "admin password". |
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
The difference is that you need the admin password to be able to login to the project, whereas you don't need to know what the secret is for it to be able to run 🙂 |
Hmm, right! And after reading Tim's comment again: The secret is only used for the JWTs, so it would still be possible to use the same database, the users just need to get a new token 👍 My only remaining concern is that the warning about the missing secret is only logged as soon as it is actually used. The warning could therefore be overlooked. Do you think we can do the check & warn at server startup, along the following lines? Lines 77 to 79 in 84ba56e
|
Yeah lets do it 👍🏻 |
Scope
What's changed:
Dropped the requirement to have
KEY
andSECRET
set.KEY
hasn't really been used for anything meaningful thatPUBLIC_URL
isn't already used for so can be removed.SECRET
should be set for production uses, but can be autogenerated on startup for local Docker container debugging and testing.Potential Risks / Drawbacks
SECRET
env var for production use. This is a similar issue to forgetting to set any of the other prod env vars though, so the solution should be the same (a prod checklist in docs)Review Notes / Questions