stack-auth
Allow overriding auto-generated internal project seed keys via environment variables
Description:
Currently, the Docker entrypoint.sh script includes the following lines:
export STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=$(openssl rand -base64 32)
export STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=$(openssl rand -base64 32)
export STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=$(openssl rand -base64 32)
These lines automatically generate new secrets on each container startup. While this works fine for single-container deployments, it causes issues in multi-container environments, where each container ends up with a different set of keys.
This leads to unexpected failures when the keys in the database are different from the variables in the container exposing the dashboard : POST https://0.0.0.0:8102/api/v1/auth/oauth/token: The OAuth client ID or secret is invalid. The client ID must be equal to the project ID (potentially with a hash and a branch ID), and the client secret must be a publishable client key.
Proposed Solution:
Before generating these secrets, the script should first check whether the environment variables are already set, and only generate them if they are missing. For example:
export STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=${STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY:-$(openssl rand -base64 32)}
export STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY:-$(openssl rand -base64 32)}
export STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY:-$(openssl rand -base64 32)}
This allows users to define and control these variables externally to ensure consistent values across containers, while retaining the current fallback behavior for simpler setups.
