next-firebase-auth
next-firebase-auth copied to clipboard
gladly-team
yarn install shouldn't require setting cookies.keys
Describe the bug
I do a yarn install as part of my Dockerfile image building steps and cookies.keys seem to be required.
Error observed:
ode:internal/process/promises:245
triggerUncaughtException(err, true /* fromPromise */);
^
Error: Invalid next-firebase-auth options: The "cookies.keys" setting must be set if "cookies.signed" is true.
at b (/build/node_modules/next-firebase-auth/build/index.node.js:2:9873)
at Object.init (/build/node_modules/next-firebase-auth/build/index.node.js:2:17601)
at init (/build/node_modules/next-firebase-auth/build/index.node.js:2:27068)
at initAuth (/build/.next/server/pages/_app.js:60:42)
at Object.8402 (/build/.next/server/pages/_app.js:330:1)
at __webpack_require__ (/build/.next/server/webpack-runtime.js:25:42)
at __webpack_exec__ (/build/.next/server/pages/_app.js:536:39)
at /build/.next/server/pages/_app.js:537:74
at Function.__webpack_require__.X (/build/.next/server/webpack-runtime.js:108:21)
at /build/.next/server/pages/_app.js:537:47 {
type: 'Error'
}
error Command failed with exit code 1.
Versions
next-firebase-auth version:
Firebase JS SDK: 8
Next.js: 0.14.3-alpha.0
Expected behavior
yarn install to not require cookies.keys
Full Dockerfile:
###
# Build stage
###
FROM node:15-alpine AS builder
WORKDIR /build
COPY package.json yarn.lock ./
RUN yarn install --frozen-lockfile
COPY . .
RUN yarn build && \
rm -rf .next/cache
###
# Exec Stage
###
FROM node:15-alpine
WORKDIR /app
COPY package.json yarn.lock ./
RUN yarn install --frozen-lockfile --production
COPY --from=builder /build/.next .next
COPY . .
CMD ["yarn", "start:production"]
The workaround is to add a temporary value for the cookie during build but unsure if that might have unintended security consequences. This is the additional step I added in the build phase of the docker image:
ENV COOKIE_SECRET_CURRENT=willbereplacedlater
I'm afraid that somehow this secret might persist somewhere in the docker image?
For context the reason this works for me is due to initAuth.js looking like this:
cookies: {
keys: [process.env.COOKIE_SECRET_CURRENT, process.env.COOKIE_SECRET_PREVIOUS],
httpOnly: true,
maxAge: 12 * 60 * 60 * 24 * 1000, // twelve days
overwrite: true,
path: '/',
sameSite: 'strict',
signed: true,
},
@samos123 Had this same problem. I got around it by copying my env into the working dir (I am using the example where the build happens in app and is run from root)
COPY --from=builder /app/.env* ./
I think yours would be closer to this:
COPY --from=builder ../build/.env* ./
(run this command AFTER)
WORKDIR /app
Thanks for the issue! @samos123 I don't see any security risks in your current workaround.
Related: #70
We can remove the build-time check here and rely on the already-existing runtime check here.
This change should merge into the v1.x branch, because the behavior is a (small) breaking change.
This workaround is not working for me. Am not sure if there is any issue with my code. Also is there any other workaround?
COPY . .
COPY --from=deps /app/node_modules ./node_modules
ENV NODE_ENV production
ENV COOKIES_SECRET_CURRENT $GITHUB_SHA
ENV COOKIES_SECRET_PREVIOUS $GITHUB_SHA
RUN npm run build
keys: [process.env.COOKIE_SECRET_CURRENT,process.env.COOKIE_SECRET_PREVIOUS],
httpOnly: true,
maxAge: 12 * 60 * 60 * 24 * 1000, // twelve days
overwrite: true,
path: '/',
sameSite: 'strict',
secure: process.env.NODE_ENV === 'production', // set this to false in local (non-HTTPS) development
signed: true,
