How to set/get the JWT secret? about supabase-js HOT 13 CLOSED

@RobertB4 it's undocumented, but the local dev's JWT secret is hardcoded to super-secret-jwt-token-with-at-least-32-characters-long.

from supabase-js.

hey @hansy , the secret is available in your database, run show app.settings.jwt_secret; in the SQL editor to view it

there is no ability to set it yet (you could set this value in the database but it would not update on the supabase api server yet, we should build this capability in)

from supabase-js.

Is there any way to get the JWT secret during local development? My hosted version of supabase shows the JWT secret with show app.settings.jwt_secret;, but my local version does not.

ERROR:  unrecognized configuration parameter "app.settings.jwt_secret"

from supabase-js.

I got in touch with Supabase support. If you're using the Supabase CLI, the environment variable you must set in .env is SUPABASE_AUTH_JWT_SECRET.

$ grep JWT_SECRET .env
SUPABASE_AUTH_JWT_SECRET=something-boring-and-repetitive-boring-and-repetitive

$ yarn run supabase stop; yarn run supabase start
[...]
Started supabase local development setup.

         API URL: http://localhost:54321
     GraphQL URL: http://localhost:54321/graphql/v1
          DB URL: postgresql://postgres:postgres@localhost:54322/postgres
      Studio URL: http://localhost:54323
    Inbucket URL: http://localhost:54324
      JWT secret: something-boring-and-repetitive-boring-and-repetitive

You can then use the form at https://supabase.com/docs/guides/self-hosting#api-keys to compute ANON_KEY.

from supabase-js.

@hansy your code works for me.

@kiwicopple I will update the UI to show JWT secret

from supabase-js.

we should build this capability in

For a first step we could even just expose it (read only) so that devs can get it easily. Should we put it down in the "Settings" section with the API keys? Or in the "Auth" section?

My initial thought is in the "Settings" - down where the developers will live. The "Auth" section might be more "business user" config

from supabase-js.

@soedirgo thank you so much, I saw that on the console and didn't even bothered to think it was that 😄

from supabase-js.

I'm able to set the JWT secret via the UI for a hosted instance but not via the SQL Editor (getting ERROR: 42501: permission denied to set parameter "app.settings.jwt_secret") when running:

alter database postgres
set
  "app.settings.jwt_secret" to 'super-secret-jwt-token-with-at-least-32-characters-long';

from supabase-js.

As long as devs know how to get the secret (via the SQL editor is more than fine), this isn't a huge priority. Thanks for yall's prompt response.

This might be a separate discussion but I can't seem to validate a token signature with the secret obtained from the editor. And this even after turning the secret back into a byte array (the way GoTrue signs the tokens: https://github.com/netlify/gotrue/blob/c2a56b766367217c280c80851d79af68f0031a5a/api/token.go#L166).

package main

import (
	"fmt"
	"github.com/dgrijalva/jwt-go"
)

var jwtSecret = []byte("secret")
var token = "<ACCESS TOKEN HERE>"

func VerifyToken(tokenString string) (c jwt.MapClaims, err error) {
	token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
		return jwtSecret, nil
	})

	if !token.Valid {
		return
	}
	tokenMap, _ := token.Claims.(jwt.MapClaims)
	return tokenMap, err
}

func main() {
	fmt.Println(VerifyToken(token)) // Prints: map[] signature is invalid
}

If anyone knows off the top of their head what I'm doing wrong, direction would be appreciated. Otherwise I'll plug away at this and report my findings for anyone else interested in using the JWT secret for signature verification.

from supabase-js.

@phamhieu could we expose this in a new panel on the API settings? (read only for now)

@awalias any thoughts on the signature validation? Can you replicate on GoTrue?

from supabase-js.

@phamhieu huh weird it didn't for me, but I'll take your word for it. That's good news! Thanks for your help!

from supabase-js.

Also the UI is showing the secret now @hansy - Hiue made the updates a few days back.

If you're happy with this, feel free to close!

from supabase-js.

Closing for now - feel free to reopen

from supabase-js.