cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon supabase

Secrets uploaded to local supabase vault using config.toml have their names converted to lowercase

Open fgh-james opened this issue 9 months ago • 2 comments

Describe the bug

When running supabase locally and uploading secrets to the vault using config.toml, all uppercase letters in the secret name are converted to lowercase.

I am attempting to upload my vault secrets to my local supabase instance using the config.toml. All my secrets are written in all caps, and when they are uploaded to the vault, I see that they are converted to lowercase which breaks any references to them in my application.

Here is my config.toml setup:

[db.vault]
WEBHOOK_SECRET = "env(WEBHOOK_SECRET)"
WEBHOOK_SEND_INVITE_URL = "http://172.17.0.1:54321/functions/v1/send-invite"

And here is the result in the database:

Image

Then in my code, when I try to get my secret, it fails because the capitalization is incorrect:

select decrypted_secret into secret from vault.decrypted_secrets where name = 'WEBHOOK_SECRET' limit 1;

To Reproduce

  1. Add vault secrets to your config.toml
[db.vault]
WEBHOOK_SECRET = "env(WEBHOOK_SECRET)"
WEBHOOK_SEND_INVITE_URL = "http://172.17.0.1:54321/functions/v1/send-invite"
  1. Run supabase start
  2. Run supabase db reset to reseed the database and reset the vault
  3. Check in the supabase studio Table Editor > Schema > Vault > secrets
  4. See secret names loses all capitalization

Expected behavior

Secret names should retain their capitalization when uploaded through config.toml

System information

  • OS: macOS
  • Version of Supabase CLI (2.15.8)
  • Service Versions SERVICE IMAGE │ LOCAL │ LINKED supabase/postgres │ 15.1.1.19 │ 15.1.1.19 supabase/gotrue │ v2.168.0 │ v2.168.0 postgrest/postgrest │ v12.0.2 │ v12.0.2 supabase/realtime │ v2.34.31 │ - supabase/storage-api │ v1.17.1 │ v1.17.1 supabase/edge-runtime │ v1.67.2 │ - supabase/studio │ 20250224-d10db0f │ - supabase/postgres-meta │ v0.86.0 │ - supabase/logflare │ 1.11.0 │ - supabase/supavisor │ 2.3.9 │ -

fgh-james avatar Mar 03 '25 20:03 fgh-james

After digging into this issue, I realised it is a fundamental flaw with viper not preserving case sensitive map keys https://github.com/spf13/viper/issues/1014.

I think we will have to migrate to koanf to fully resolve it.

sweatybridge avatar Mar 05 '25 07:03 sweatybridge

Just wanted to add that I came across this issue as well. I assumed it was just enforced as a recommended way to store the secret name. Glad it is flagged as a bug. I would really like the secret to mirror the env variables.

Also, there is an issue when pushing the migration to remote using supabase db push. The vault secrets are pushed with each new migration push. This means that the remote secrets are always overriden by the local secrets after each push, not ideal considering you might want different secrets for different environment.

lhengl avatar Jun 11 '25 02:06 lhengl