Comments (13)
@RobertB4 it's undocumented, but the local dev's JWT secret is hardcoded to super-secret-jwt-token-with-at-least-32-characters-long
.
from supabase-js.
hey @hansy , the secret is available in your database, run show app.settings.jwt_secret;
in the SQL editor to view it
there is no ability to set it yet (you could set this value in the database but it would not update on the supabase api server yet, we should build this capability in)
from supabase-js.
Is there any way to get the JWT secret during local development? My hosted version of supabase shows the JWT secret with show app.settings.jwt_secret;
, but my local version does not.
ERROR: unrecognized configuration parameter "app.settings.jwt_secret"
from supabase-js.
I got in touch with Supabase support. If you're using the Supabase CLI, the environment variable you must set in .env
is SUPABASE_AUTH_JWT_SECRET
.
$ grep JWT_SECRET .env
SUPABASE_AUTH_JWT_SECRET=something-boring-and-repetitive-boring-and-repetitive
$ yarn run supabase stop; yarn run supabase start
[...]
Started supabase local development setup.
API URL: http://localhost:54321
GraphQL URL: http://localhost:54321/graphql/v1
DB URL: postgresql://postgres:postgres@localhost:54322/postgres
Studio URL: http://localhost:54323
Inbucket URL: http://localhost:54324
JWT secret: something-boring-and-repetitive-boring-and-repetitive
You can then use the form at https://supabase.com/docs/guides/self-hosting#api-keys to compute ANON_KEY
.
from supabase-js.
@hansy your code works for me.
@kiwicopple I will update the UI to show JWT secret
from supabase-js.
we should build this capability in
For a first step we could even just expose it (read only) so that devs can get it easily. Should we put it down in the "Settings" section with the API keys? Or in the "Auth" section?
My initial thought is in the "Settings" - down where the developers will live. The "Auth" section might be more "business user" config
from supabase-js.
@soedirgo thank you so much, I saw that on the console and didn't even bothered to think it was that 😄
from supabase-js.
I'm able to set the JWT secret via the UI for a hosted instance but not via the SQL Editor (getting ERROR: 42501: permission denied to set parameter "app.settings.jwt_secret"
) when running:
alter database postgres
set
"app.settings.jwt_secret" to 'super-secret-jwt-token-with-at-least-32-characters-long';
from supabase-js.
As long as devs know how to get the secret (via the SQL editor is more than fine), this isn't a huge priority. Thanks for yall's prompt response.
This might be a separate discussion but I can't seem to validate a token signature with the secret obtained from the editor. And this even after turning the secret back into a byte array (the way GoTrue signs the tokens: https://github.com/netlify/gotrue/blob/c2a56b766367217c280c80851d79af68f0031a5a/api/token.go#L166).
package main
import (
"fmt"
"github.com/dgrijalva/jwt-go"
)
var jwtSecret = []byte("secret")
var token = "<ACCESS TOKEN HERE>"
func VerifyToken(tokenString string) (c jwt.MapClaims, err error) {
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
return jwtSecret, nil
})
if !token.Valid {
return
}
tokenMap, _ := token.Claims.(jwt.MapClaims)
return tokenMap, err
}
func main() {
fmt.Println(VerifyToken(token)) // Prints: map[] signature is invalid
}
If anyone knows off the top of their head what I'm doing wrong, direction would be appreciated. Otherwise I'll plug away at this and report my findings for anyone else interested in using the JWT secret for signature verification.
from supabase-js.
@phamhieu could we expose this in a new panel on the API settings? (read only for now)
@awalias any thoughts on the signature validation? Can you replicate on GoTrue?
from supabase-js.
@phamhieu huh weird it didn't for me, but I'll take your word for it. That's good news! Thanks for your help!
from supabase-js.
Also the UI is showing the secret now @hansy - Hiue made the updates a few days back.
If you're happy with this, feel free to close!
from supabase-js.
Closing for now - feel free to reopen
from supabase-js.
Related Issues (20)
- Intermittent empty fetch response HOT 1
- Data has no return type when using geojson()
- New auth error codes missing in error object
- auth.getUser() returns null user and AuthSessionMissingError in [email protected] HOT 2
- supabaseAuthClient.auth.getUser not working on v2.42.5 HOT 7
- Types incorrectly inferred as array on a single select query with multiple one to many joins to the same table HOT 2
- SVELTEKIT: Streaming queries causes error. HOT 4
- Range Error: Invalid array length when I am using count exact and lte method
- FK values are `undefined` with inconsistent behaviour
- Nextjs Compile Error With SupabaseJS ( Not Nextjs Error )
- New check for a custom Authorization header is case sensitive. Headers are case insensitive
- JWT token expiary
- createServerClient causes too many /token requests HOT 3
- Unable to move objects between buckets
- SignInAnonymously function type error HOT 1
- Cookies not being set after loginWIthEmailAndPassword
- storage.from.list returning incorrect & incomplete data
- PostgrestClient is not a constructor error in Edge Functions HOT 4
- Error to Logout - Inconsistent 403 Forbidden HOT 6
- bad_jwt when auth.getUser HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from supabase-js.