brefphp
Laravel Passport keys not available in Lambda
Description:
Having Passport installed, and following the instructions described here https://bref.sh/docs/laravel/passport
I'm unable to get Passport working, throwing an exception: Invalid key supplied
Investigation so far:
- serverless.yml is updated to include oauth keys into the bundle
- Downloading the zip manually from S3 does indeed show the keys being included in the bundle (cf. screenshot)
- Dumping the contents from inside the Lambda
$tmp = Storage::build('/tmp');
dd(
$tmp->allFiles(),
$tmp->allDirectories(),
storage_path(),
shell_exec(
'ls -la ' . storage_path()
)
);
How to reproduce:
- Install Laravel
- Install laravel/passport
- Generate passport keys and persist them in serverless.yml
- Deploy
Probably you should not try to store the private key in plain text in the lambda image, but instead load it via secrets manager into an env variable at runtime.
Note that this is indeed a regression with the Bref bridge v2.
It's because the BrefServiceProvider sets storage_path to /tmp/storage now. We may want to copy any file in storage/ being deployed into /tmp/storage (that's what we do in the Symfony bridge for example). Or maybe there's a better alternative to imagine.
@GrahamCampbell Yeah, I did end up doing that. I was experimenting with an existing app when I noticed this behavior
@mnapoli sorry if I'm not too knowledgeable with Bref v1, but was there any particular reason to put internals in a /tmp/storage path?
@Rezrazi anything outside /tmp is read-only, so it was creating problems when using the Laravel cache.
Probably you should not try to store the private key in plain text in the lambda image, but instead load it via secrets manager into an env variable at runtime.
Please remember that lambda ENV has 4K limit! RSA keypair generated by php artisan passport:keys could easily meet the limit.
I followed the documentation for Laravel Passport setup. I think the documentation isn't clear or the solution for this still work in progress. My setup (as described in docs):
# serverless.yml
package:
patterns:
- ...
# Exclude the 'storage' directory
- '!storage/**'
# Except the public and private keys required by Laravel Passport
- 'storage/oauth-private.key'
- 'storage/oauth-public.key'
On serverless deploy they keys are being copied into storage/ path not to /tmp/storage as one might expect! Luckily, Passport can adjust the path with Passport::loadKeysFrom('storage');
Thanks for sharing the workaround! If you have the time for a pull request (https://github.com/brefphp/bref/blob/master/docs/laravel/passport.mdx) that would be awesome!
I don't know if the behavior I observed is expected. Maybe on deploy bref could copy contents of package (as defined in serverless.yml) into /tmp/storage and never use storage? Right now, bref maintains two storage paths.
Ideally it should copy the files, yes. But that's not implemented right now, so in the meantime mentioning the trick in the documentation is the best option I think.
@mnapoli Please let me know if you've discovered a method to copy any file located in storage/ to be deployed into /tmp/storage.
Note that this is indeed a regression with the Bref bridge v2.
It's because the BrefServiceProvider sets
storage_pathto/tmp/storagenow. We may want to copy any file instorage/being deployed into/tmp/storage(that's what we do in the Symfony bridge for example). Or maybe there's a better alternative to imagine.
