Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Application secret from env variable does not work #12555

Closed
cornim opened this issue Apr 26, 2024 · 3 comments
Closed

Application secret from env variable does not work #12555

cornim opened this issue Apr 26, 2024 · 3 comments

Comments

@cornim
Copy link

cornim commented Apr 26, 2024
edited by mkurz

The documentation states

play.http.secret.key="changeme"
play.http.secret.key=${?APPLICATION_SECRET}

The second line in that configuration sets the secret to come from an environment variable called APPLICATION_SECRET if such an environment variable is set, otherwise, it leaves the secret unchanged from the previous line.

But if this is set in the application.conf an exception is thrown, complaining that the entropy of the secret is too low pointing to the second line, even if there is no such environment variable set.
This is also the case if the first line contains a secret with sufficient entropy.

Play Version

3.0.2

API

Scala 3.3.1

Operating System

22.04.1-Ubuntu

JDK

openjdk version "17.0.10" 2024-01-16
OpenJDK Runtime Environment (build 17.0.10+7-Ubuntu-122.04.1)
OpenJDK 64-Bit Server VM (build 17.0.10+7-Ubuntu-122.04.1, mixed mode, sharing)

Expected Behavior

The secret from the first line (play.http.secret.key=<actual secret with sufficient entropy>) in the config should be used.

Actual Behavior

The second line (play.http.secret.key=${?APPLICATION_SECRET}) is used resulting in a secret with insuffcient entropy.

Commenting out the second line makes the applicaton work.
And I checked the relevant environment variables with sbt show run / envVars and the returned map was empty.
@mkurz
Copy link
Member

mkurz commented Apr 27, 2024
edited

And I checked the relevant environment variables with sbt show run / envVars and the returned map was empty.

This is expected behaviour, see my explanation in #10972 (comment). Maybe you misunderstood what envVars is used for.

Anyway, you say that when you remove the (second) line play.http.secret.key=${?APPLICATION_SECRET} from your config, then your application is working. Seems like you do have a APPLICATION_SECRET environment variable defined somehow, somewhere (maybe /etc/environment? Or in one of the .bash* files in the home directory?). Can you please check what env | grep -i APPLICATION_SECRET on the used Ubuntu machine outputs?

@cornelius-mund
Copy link

cornelius-mund commented Apr 29, 2024
edited

I found the issue.

APPLICATION_SECRET was not set but there was a strange character in that line after the variable that apparantly caused the issue. (see diff below)

Thanks for your quick response anyway.

-play.http.secret.key=${?APPLICATION_SECRET}
+play.http.secret.key=${?APPLICATION_SECRET}

@mkurz
Copy link
Member

mkurz commented Apr 29, 2024

Perfect, glad you found the problem!

Thanks for your quick response anyway.

You are welcome! Have a nice time coding with Play 😉

@mkurz mkurz closed this as completed Apr 29, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mkurz @cornim @cornelius-mund