fix: load config once using viper (#3367)

Author: sweatybridge

internal/db/start/start.go

@@ -63,7 +63,7 @@ func NewContainerConfig() container.Config {
 	env := []string{
 		"POSTGRES_PASSWORD=" + utils.Config.Db.Password,
 		"POSTGRES_HOST=/var/run/postgresql",
-		"JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+		"JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 		fmt.Sprintf("JWT_EXP=%d", utils.Config.Auth.JwtExpiry),
 	}
 	if len(utils.Config.Experimental.OrioleDBVersion) > 0 {
@@ -96,7 +96,7 @@ docker-entrypoint.sh postgres -D /etc/postgresql
 ` + webhookSchema + `
 ` + _supabaseSchema + `
 EOF
-` + utils.Config.Db.RootKey + `
+` + utils.Config.Db.RootKey.Value + `
 EOF
 ` + utils.Config.Db.Settings.ToPostgresConfig() + `
 EOF`},
@@ -157,7 +157,7 @@ docker-entrypoint.sh postgres -D /etc/postgresql
 EOF
 ` + restoreScript + `
 EOF
-` + utils.Config.Db.RootKey + `
+` + utils.Config.Db.RootKey.Value + `
 EOF
 ` + utils.Config.Db.Settings.ToPostgresConfig() + `
 EOF`}
@@ -284,8 +284,8 @@ func initRealtimeJob(host string) utils.DockerJob {
 			"DB_NAME=postgres",
 			"DB_AFTER_CONNECT_QUERY=SET search_path TO _realtime",
 			"DB_ENC_KEY=" + utils.Config.Realtime.EncryptionKey,
-			"API_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
-			"METRICS_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+			"API_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
+			"METRICS_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 			"APP_NAME=realtime",
 			"SECRET_KEY_BASE=" + utils.Config.Realtime.SecretKeyBase,
 			"ERL_AFLAGS=" + utils.ToRealtimeEnv(utils.Config.Realtime.IpVersion),
@@ -305,9 +305,9 @@ func initStorageJob(host string) utils.DockerJob {
 		Image: utils.Config.Storage.Image,
 		Env: []string{
 			"DB_INSTALL_ROLES=false",
-			"ANON_KEY=" + utils.Config.Auth.AnonKey,
-			"SERVICE_KEY=" + utils.Config.Auth.ServiceRoleKey,
-			"PGRST_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+			"ANON_KEY=" + utils.Config.Auth.AnonKey.Value,
+			"SERVICE_KEY=" + utils.Config.Auth.ServiceRoleKey.Value,
+			"PGRST_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 			fmt.Sprintf("DATABASE_URL=postgresql://supabase_storage_admin:%s@%s:5432/postgres", utils.Config.Db.Password, host),
 			fmt.Sprintf("FILE_SIZE_LIMIT=%v", utils.Config.Storage.FileSizeLimit),
 			"STORAGE_BACKEND=file",
@@ -330,7 +330,7 @@ func initAuthJob(host string) utils.DockerJob {
 			"GOTRUE_DB_DRIVER=postgres",
 			fmt.Sprintf("GOTRUE_DB_DATABASE_URL=postgresql://supabase_auth_admin:%s@%s:5432/postgres", utils.Config.Db.Password, host),
 			"GOTRUE_SITE_URL=" + utils.Config.Auth.SiteUrl,
-			"GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+			"GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 		},
 		Cmd: []string{"gotrue", "migrate"},
 	}

internal/functions/new/new.go

@@ -73,7 +73,7 @@ func createEntrypointFile(slug string, fsys afero.Fs) error {
 	defer f.Close()
 	if err := indexTemplate.Option("missingkey=error").Execute(f, indexConfig{
 		URL:   utils.GetApiUrl("/functions/v1/" + slug),
-		Token: utils.Config.Auth.AnonKey,
+		Token: utils.Config.Auth.AnonKey.Value,
 	}); err != nil {
 		return errors.Errorf("failed to write entrypoint: %w", err)
 	}

internal/functions/serve/serve.go

@@ -104,10 +104,10 @@ func ServeFunctions(ctx context.Context, envFilePath string, noVerifyJWT *bool,
 	}
 	env = append(env,
 		fmt.Sprintf("SUPABASE_URL=http://%s:8000", utils.KongAliases[0]),
-		"SUPABASE_ANON_KEY="+utils.Config.Auth.AnonKey,
-		"SUPABASE_SERVICE_ROLE_KEY="+utils.Config.Auth.ServiceRoleKey,
+		"SUPABASE_ANON_KEY="+utils.Config.Auth.AnonKey.Value,
+		"SUPABASE_SERVICE_ROLE_KEY="+utils.Config.Auth.ServiceRoleKey.Value,
 		"SUPABASE_DB_URL="+dbUrl,
-		"SUPABASE_INTERNAL_JWT_SECRET="+utils.Config.Auth.JwtSecret,
+		"SUPABASE_INTERNAL_JWT_SECRET="+utils.Config.Auth.JwtSecret.Value,
 		fmt.Sprintf("SUPABASE_INTERNAL_HOST_PORT=%d", utils.Config.Api.Port),
 	)
 	if viper.GetBool("DEBUG") {

internal/gen/keys/keys.go

@@ -31,9 +31,9 @@ func Run(ctx context.Context, projectRef, format string, names CustomName, fsys
 	return utils.EncodeOutput(format, os.Stdout, map[string]string{
 		names.DbHost:         fmt.Sprintf("%s-%s.fly.dev", projectRef, branch),
 		names.DbPassword:     utils.Config.Db.Password,
-		names.JWTSecret:      utils.Config.Auth.JwtSecret,
-		names.AnonKey:        utils.Config.Auth.AnonKey,
-		names.ServiceRoleKey: utils.Config.Auth.ServiceRoleKey,
+		names.JWTSecret:      utils.Config.Auth.JwtSecret.Value,
+		names.AnonKey:        utils.Config.Auth.AnonKey.Value,
+		names.ServiceRoleKey: utils.Config.Auth.ServiceRoleKey.Value,
 	})
 }
 
@@ -46,11 +46,11 @@ func GenerateSecrets(ctx context.Context, projectRef, branch string, fsys afero.
 	if resp.JSON200 == nil {
 		return errors.New("Unexpected error retrieving JWT secret: " + string(resp.Body))
 	}
-	utils.Config.Auth.JwtSecret = *resp.JSON200.JwtSecret
+	utils.Config.Auth.JwtSecret.Value = *resp.JSON200.JwtSecret
 	// Generate database password
 	key := strings.Join([]string{
 		projectRef,
-		utils.Config.Auth.JwtSecret,
+		utils.Config.Auth.JwtSecret.Value,
 		branch,
 	}, ":")
 	hash := sha256.Sum256([]byte(key))
@@ -61,15 +61,15 @@ func GenerateSecrets(ctx context.Context, projectRef, branch string, fsys afero.
 		Ref:    projectRef,
 		Role:   "anon",
 	}.NewToken()
-	if utils.Config.Auth.AnonKey, err = anonToken.SignedString([]byte(utils.Config.Auth.JwtSecret)); err != nil {
+	if utils.Config.Auth.AnonKey.Value, err = anonToken.SignedString([]byte(utils.Config.Auth.JwtSecret.Value)); err != nil {
 		return errors.Errorf("failed to sign anon key: %w", err)
 	}
 	serviceToken := config.CustomClaims{
 		Issuer: "supabase",
 		Ref:    projectRef,
 		Role:   "service_role",
 	}.NewToken()
-	if utils.Config.Auth.ServiceRoleKey, err = serviceToken.SignedString([]byte(utils.Config.Auth.JwtSecret)); err != nil {
+	if utils.Config.Auth.ServiceRoleKey.Value, err = serviceToken.SignedString([]byte(utils.Config.Auth.JwtSecret.Value)); err != nil {
 		return errors.Errorf("failed to sign service_role key: %w", err)
 	}
 	return nil

internal/start/start.go

@@ -464,7 +464,7 @@ EOF
 			"GOTRUE_JWT_AUD=authenticated",
 			"GOTRUE_JWT_DEFAULT_GROUP_NAME=authenticated",
 			fmt.Sprintf("GOTRUE_JWT_EXP=%v", utils.Config.Auth.JwtExpiry),
-			"GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+			"GOTRUE_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 			"GOTRUE_JWT_ISSUER=" + utils.GetApiUrl("/auth/v1"),
 
 			fmt.Sprintf("GOTRUE_EXTERNAL_EMAIL_ENABLED=%v", utils.Config.Auth.Email.EnableSignup),
@@ -755,9 +755,9 @@ EOF
 					"DB_NAME=" + dbConfig.Database,
 					"DB_AFTER_CONNECT_QUERY=SET search_path TO _realtime",
 					"DB_ENC_KEY=" + utils.Config.Realtime.EncryptionKey,
-					"API_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+					"API_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 					fmt.Sprintf("API_JWT_JWKS=%s", jwks),
-					"METRICS_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+					"METRICS_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 					"APP_NAME=realtime",
 					"SECRET_KEY_BASE=" + utils.Config.Realtime.SecretKeyBase,
 					"ERL_AFLAGS=" + utils.ToRealtimeEnv(utils.Config.Realtime.IpVersion),
@@ -838,9 +838,9 @@ EOF
 			container.Config{
 				Image: utils.Config.Storage.Image,
 				Env: []string{
-					"ANON_KEY=" + utils.Config.Auth.AnonKey,
-					"SERVICE_KEY=" + utils.Config.Auth.ServiceRoleKey,
-					"AUTH_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+					"ANON_KEY=" + utils.Config.Auth.AnonKey.Value,
+					"SERVICE_KEY=" + utils.Config.Auth.ServiceRoleKey.Value,
+					"AUTH_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 					fmt.Sprintf("AUTH_JWT_JWKS=%s", jwks),
 					fmt.Sprintf("DATABASE_URL=postgresql://supabase_storage_admin:%s@%s:%d/%s", dbConfig.Password, dbConfig.Host, dbConfig.Port, dbConfig.Database),
 					fmt.Sprintf("FILE_SIZE_LIMIT=%v", utils.Config.Storage.FileSizeLimit),
@@ -986,9 +986,9 @@ EOF
 					"POSTGRES_PASSWORD=" + dbConfig.Password,
 					"SUPABASE_URL=http://" + utils.KongId + ":8000",
 					"SUPABASE_PUBLIC_URL=" + utils.Config.Studio.ApiUrl,
-					"AUTH_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
-					"SUPABASE_ANON_KEY=" + utils.Config.Auth.AnonKey,
-					"SUPABASE_SERVICE_KEY=" + utils.Config.Auth.ServiceRoleKey,
+					"AUTH_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
+					"SUPABASE_ANON_KEY=" + utils.Config.Auth.AnonKey.Value,
+					"SUPABASE_SERVICE_KEY=" + utils.Config.Auth.ServiceRoleKey.Value,
 					"LOGFLARE_API_KEY=" + utils.Config.Analytics.ApiKey,
 					"OPENAI_API_KEY=" + utils.Config.Studio.OpenaiApiKey.Value,
 					fmt.Sprintf("LOGFLARE_URL=http://%v:4000", utils.LogflareId),
@@ -1056,8 +1056,8 @@ EOF
 					"CLUSTER_POSTGRES=true",
 					"SECRET_KEY_BASE=" + utils.Config.Db.Pooler.SecretKeyBase,
 					"VAULT_ENC_KEY=" + utils.Config.Db.Pooler.EncryptionKey,
-					"API_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
-					"METRICS_JWT_SECRET=" + utils.Config.Auth.JwtSecret,
+					"API_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
+					"METRICS_JWT_SECRET=" + utils.Config.Auth.JwtSecret.Value,
 					"REGION=local",
 					"RUN_JANITOR=true",
 					"ERL_AFLAGS=-proto_dist inet_tcp",

internal/status/status.go

@@ -50,9 +50,9 @@ func (c *CustomName) toValues(exclude ...string) map[string]string {
 		values[c.StudioURL] = fmt.Sprintf("http://%s:%d", utils.Config.Hostname, utils.Config.Studio.Port)
 	}
 	if utils.Config.Auth.Enabled && !utils.SliceContains(exclude, utils.GotrueId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Auth.Image)) {
-		values[c.JWTSecret] = utils.Config.Auth.JwtSecret
-		values[c.AnonKey] = utils.Config.Auth.AnonKey
-		values[c.ServiceRoleKey] = utils.Config.Auth.ServiceRoleKey
+		values[c.JWTSecret] = utils.Config.Auth.JwtSecret.Value
+		values[c.AnonKey] = utils.Config.Auth.AnonKey.Value
+		values[c.ServiceRoleKey] = utils.Config.Auth.ServiceRoleKey.Value
 	}
 	if utils.Config.Inbucket.Enabled && !utils.SliceContains(exclude, utils.InbucketId) && !utils.SliceContains(exclude, utils.ShortContainerImageName(utils.Config.Inbucket.Image)) {
 		values[c.InbucketURL] = fmt.Sprintf("http://%s:%d", utils.Config.Hostname, utils.Config.Inbucket.Port)
@@ -178,7 +178,7 @@ func checkHTTPHead(ctx context.Context, path string) error {
 	healthOnce.Do(func() {
 		server := utils.Config.Api.ExternalUrl
 		header := func(req *http.Request) {
-			req.Header.Add("apikey", utils.Config.Auth.AnonKey)
+			req.Header.Add("apikey", utils.Config.Auth.AnonKey.Value)
 		}
 		client := NewKongClient()
 		healthClient = fetcher.NewFetcher(

internal/storage/client/api.go

@@ -18,7 +18,7 @@ func NewStorageAPI(ctx context.Context, projectRef string) (storage.StorageAPI,
 		client.Fetcher = newLocalClient()
 	} else if viper.IsSet("AUTH_SERVICE_ROLE_KEY") {
 		// Special case for calling storage API without personal access token
-		client.Fetcher = newRemoteClient(projectRef, utils.Config.Auth.ServiceRoleKey)
+		client.Fetcher = newRemoteClient(projectRef, utils.Config.Auth.ServiceRoleKey.Value)
 	} else if apiKey, err := tenant.GetApiKeys(ctx, projectRef); err == nil {
 		client.Fetcher = newRemoteClient(projectRef, apiKey.ServiceRole)
 	} else {
@@ -32,7 +32,7 @@ func newLocalClient() *fetcher.Fetcher {
 	return fetcher.NewFetcher(
 		utils.Config.Api.ExternalUrl,
 		fetcher.WithHTTPClient(client),
-		fetcher.WithBearerToken(utils.Config.Auth.ServiceRoleKey),
+		fetcher.WithBearerToken(utils.Config.Auth.ServiceRoleKey.Value),
 		fetcher.WithUserAgent("SupabaseCLI/"+utils.Version),
 		fetcher.WithExpectedStatus(http.StatusOK),
 	)

pkg/config/auth.go

@@ -72,7 +72,7 @@ type (
 		Enabled bool   `toml:"enabled"`
 		Image   string `toml:"-"`
 
-		SiteUrl                    string               `toml:"site_url" mapstructure:"site_url"`
+		SiteUrl                    string               `toml:"site_url"`
 		AdditionalRedirectUrls     []string             `toml:"additional_redirect_urls"`
 		JwtExpiry                  uint                 `toml:"jwt_expiry"`
 		EnableRefreshTokenRotation bool                 `toml:"enable_refresh_token_rotation"`
@@ -93,9 +93,9 @@ type (
 		External  external  `toml:"external"`
 
 		// Custom secrets can be injected from .env file
-		JwtSecret      string `toml:"-" mapstructure:"jwt_secret"`
-		AnonKey        string `toml:"-" mapstructure:"anon_key"`
-		ServiceRoleKey string `toml:"-" mapstructure:"service_role_key"`
+		JwtSecret      Secret `toml:"jwt_secret"`
+		AnonKey        Secret `toml:"anon_key"`
+		ServiceRoleKey Secret `toml:"service_role_key"`
 
 		ThirdParty thirdParty `toml:"third_party"`
 	}
@@ -177,11 +177,11 @@ type (
 		EnableSignup        bool              `toml:"enable_signup"`
 		EnableConfirmations bool              `toml:"enable_confirmations"`
 		Template            string            `toml:"template"`
-		Twilio              twilioConfig      `toml:"twilio" mapstructure:"twilio"`
-		TwilioVerify        twilioConfig      `toml:"twilio_verify" mapstructure:"twilio_verify"`
-		Messagebird         messagebirdConfig `toml:"messagebird" mapstructure:"messagebird"`
-		Textlocal           textlocalConfig   `toml:"textlocal" mapstructure:"textlocal"`
-		Vonage              vonageConfig      `toml:"vonage" mapstructure:"vonage"`
+		Twilio              twilioConfig      `toml:"twilio"`
+		TwilioVerify        twilioConfig      `toml:"twilio_verify"`
+		Messagebird         messagebirdConfig `toml:"messagebird"`
+		Textlocal           textlocalConfig   `toml:"textlocal"`
+		Vonage              vonageConfig      `toml:"vonage"`
 		TestOTP             map[string]string `toml:"test_otp"`
 		MaxFrequency        time.Duration     `toml:"max_frequency"`
 	}
@@ -234,26 +234,26 @@ type (
 		Enabled           bool   `toml:"enabled"`
 		AccountSid        string `toml:"account_sid"`
 		MessageServiceSid string `toml:"message_service_sid"`
-		AuthToken         Secret `toml:"auth_token" mapstructure:"auth_token"`
+		AuthToken         Secret `toml:"auth_token"`
 	}
 
 	messagebirdConfig struct {
 		Enabled    bool   `toml:"enabled"`
 		Originator string `toml:"originator"`
-		AccessKey  Secret `toml:"access_key" mapstructure:"access_key"`
+		AccessKey  Secret `toml:"access_key"`
 	}
 
 	textlocalConfig struct {
 		Enabled bool   `toml:"enabled"`
 		Sender  string `toml:"sender"`
-		ApiKey  Secret `toml:"api_key" mapstructure:"api_key"`
+		ApiKey  Secret `toml:"api_key"`
 	}
 
 	vonageConfig struct {
 		Enabled   bool   `toml:"enabled"`
 		From      string `toml:"from"`
-		ApiKey    string `toml:"api_key" mapstructure:"api_key"`
-		ApiSecret Secret `toml:"api_secret" mapstructure:"api_secret"`
+		ApiKey    string `toml:"api_key"`
+		ApiSecret Secret `toml:"api_secret"`
 	}
 
 	provider struct {