8000 Mercure configuration · Issue #200 · dunglas/symfony-docker · GitHub
[go: up one dir, main page]
Skip to content

Mercure configuration #200

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Jayfrown opened this issue Dec 15, 2021 · 5 comments
Closed

Mercure configuration #200

Jayfrown opened this issue Dec 15, 2021 · 5 comments

Comments

@Jayfrown
Copy link

Hi!

First of all, thanks a lot for this skeleton.

I'm trying to make async updates work with Mercure, allowing only authenticated updates and subscribers - however there's some things I do not understand yet.

In the docker-compose.yml at line 26 we see the following configuration:

MERCURE_JWT_SECRET: ${CADDY_MERCURE_JWT_SECRET:-!ChangeMe!}

which is the same value that is passed to Caddy on lines 36/37:

      MERCURE_PUBLISHER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeMe!}
      MERCURE_SUBSCRIBER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeMe!}

  1. As they all share the same value (both the default value as well as whatever the user defines as $CADDY_MERCURE_JWT_SECRET) I take it that these values should be identical.

  2. It seems that the MERCURE_JWT_SECRET environment variable inside the php service relates to the MERCURE_JWT_SECRET within .env - which by default reads:

# The secret used to sign the JWTs
MERCURE_JWT_SECRET="!ChangeMe!"

So I would take it that these values should be cryptographically random values, which would be used as the secret passphrase to sign and verify JWTs.

However, the documentation for configuring Mercure within API Platform says the following:

MERCURE_JWT_SECRET: a valid Mercure JSON Web Token (JWT) allowing API Platform to publish updates to the hub

The JWT must contain a mercure.publish property containing an array of topic selectors

which at least conflicts with the comment inside .env, and if the rest of my understanding is correct, also conflicts with the configuration inside docker-compose.yml.

So my question boils down to the following:

  • Should the publisher_jwt and subscriber_jwt values within the Caddyfile indeed contain a cryptographically random value?

  • Should the MERCURE_JWT_SECRET within .env indeed contain a JWT, which should be signed with the cryptographically random publisher_jwt value?
@Jayfrown
Copy link
Author

Seems related to this: #128

@dunglas
Copy link
Owner
dunglas commented Dec 16, 2021

So I would take it that these values should be cryptographically random values, which would be used as the secret passphrase to sign and ve 8000 rify JWTs.

Indeed!

MERCURE_JWT_SECRET: a valid Mercure JSON Web Token (JWT) allowing API Platform to publish updates to the hub

This is definitely outdated. This behavior changed in the recent versions of MercureBundle. It's now a secret key that must be set, not a full JWT.

As a summary:

  • We cannot use the same env var for the Mercure hub (the Caddy module) and for the Mercure Bundle (the PHP lib that connects to the hub).
  • CADDY_MERCURE_JWT_SECRET allows setting the secret used by the hub,
  • MERCURE_JWT_SECRET is the one used by the bundle
  • Both values must be a secret key used to sign tokens, not a JWT anymore

This was referenced Dec 16, 2021
Merged
Merged
@Jayfrown
Copy link
Author

Thanks for clarifying. I'm still a little confused on the following:

We cannot use the same env var for the Mercure hub [..] and for the Mercure Bundle

It seems that the docker-compose.yml configuration conflicts with this, as the CADDY_MERCURE_JWT_SECRET ends up as MERCURE_PUBLISHER_JWT_KEY/MERCURE_SUBSCRIBER_JWT_KEY (used by the hub) as well as MERCURE_JWT_SECRET (used by the bundle)

So if the Mercure hub should have a different secret than the MercureBundle, then which secret holds which purpose? I had initially thought they should be the same secret, so that the hub can verify JWTs generated by the bundle.

@dunglas
Copy link
Owner
dunglas commented Dec 16, 2021

Yes indeed you're right. I mean that you must pass CADDY_MERCURE_JWT_SECRET to set the proper env vars used by the bundle and by Caddy itself (it's not possible to use the same name everywhere because this would be a conflict).

@Jayfrown
Copy link
Author

Ah!💡

I initially misunderstood what you meant when you said "the same env var". I thought you meant it cannot be the same value.

Thanks again for clearing this up!

javiereguiluz added a commit to symfony/symfony-docs that referenced this issue Dec 20, 2021
@javiereguiluz
minor #16293 [Mercure] Compatibility with the Docker integration and …
764d67c 
…various improvements (tchapi, dunglas)

This PR was merged into the 5.3 branch.

Discussion
----------

[Mercure] Compatibility with the Docker integration and various improvements

Includes #16151. Closes dunglas/symfony-docker#200.

Commits
-------

ad0cbe5 nitpicking
adf49ef Update mercure.rst
daaa3f1 Update mercure.rst
ec87085 Update mercure.rst
b4fb9fb Update mercure.rst
3ca1aa1 Update mercure.rst
81c1387 Update mercure.rst
e35f1cc Update mercure.rst
7496149 review
142a6f9 [mercure] Compatibility with the Docker integration and various improvements
123ad73 Remove unneeded JWT reference
f948ab2 Update mercure.rst regarding JWT token secret
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dunglas @Jayfrown
0