Merge pull request #14994 from Budibase/create-secret-key-once

Create JWT secret keys on boot.
2024-11-18 11:36:56 +00:00 · 2024-11-18 11:36:56 +00:00 · a746438008
parent 4d018f3d48 1bec450623
commit a746438008
2 changed files with 8 additions and 3 deletions
--- a/packages/backend-core/src/environment.ts
+++ b/packages/backend-core/src/environment.ts
@ -1,6 +1,7 @@
 import { existsSync, readFileSync } from "fs"
 import { ServiceType } from "@budibase/types"
 import { cloneDeep } from "lodash"
+import { createSecretKey } from "crypto"

 function isTest() {
  return isJest()
@ -126,8 +127,12 @@ const environment = {
  },
  BUDIBASE_ENVIRONMENT: process.env.BUDIBASE_ENVIRONMENT,
  JS_BCRYPT: process.env.JS_BCRYPT,
-  JWT_SECRET: process.env.JWT_SECRET,
-  JWT_SECRET_FALLBACK: process.env.JWT_SECRET_FALLBACK,
+  JWT_SECRET: process.env.JWT_SECRET
+    ? createSecretKey(Buffer.from(process.env.JWT_SECRET))
+    : undefined,
+  JWT_SECRET_FALLBACK: process.env.JWT_SECRET_FALLBACK
+    ? createSecretKey(Buffer.from(process.env.JWT_SECRET_FALLBACK))
+    : undefined,
  ENCRYPTION_KEY: process.env.ENCRYPTION_KEY,
  API_ENCRYPTION_KEY: getAPIEncryptionKey(),
  COUCH_DB_URL: process.env.COUCH_DB_URL || "http://localhost:4005",
--- a/packages/backend-core/src/security/tests/encryption.spec.ts
+++ b/packages/backend-core/src/security/tests/encryption.spec.ts
@ -4,7 +4,7 @@ import env from "../../environment"
 describe("encryption", () => {
  it("should throw an error if API encryption key is not set", () => {
    const jwt = getSecret(SecretOption.API)
-    expect(jwt).toBe(env.JWT_SECRET)
+    expect(jwt).toBe(env.JWT_SECRET?.export().toString())
  })

  it("should throw an error if encryption key is not set", () => {