Skip to content

Mercure configuration #200

Closed
Closed
@Jayfrown

Description

@Jayfrown

Hi!

First of all, thanks a lot for this skeleton.

I'm trying to make async updates work with Mercure, allowing only authenticated updates and subscribers - however there's some things I do not understand yet.

In the docker-compose.yml at line 26 we see the following configuration:

MERCURE_JWT_SECRET: ${CADDY_MERCURE_JWT_SECRET:-!ChangeMe!}

which is the same value that is passed to Caddy on lines 36/37:

      MERCURE_PUBLISHER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeMe!}
      MERCURE_SUBSCRIBER_JWT_KEY: ${CADDY_MERCURE_JWT_SECRET:-!ChangeMe!}
  1. As they all share the same value (both the default value as well as whatever the user defines as $CADDY_MERCURE_JWT_SECRET) I take it that these values should be identical.

  2. It seems that the MERCURE_JWT_SECRET environment variable inside the php service relates to the MERCURE_JWT_SECRET within .env - which by default reads:

# The secret used to sign the JWTs
MERCURE_JWT_SECRET="!ChangeMe!"

So I would take it that these values should be cryptographically random values, which would be used as the secret passphrase to sign and verify JWTs.

However, the documentation for configuring Mercure within API Platform says the following:

MERCURE_JWT_SECRET: a valid Mercure JSON Web Token (JWT) allowing API Platform to publish updates to the hub

The JWT must contain a mercure.publish property containing an array of topic selectors

which at least conflicts with the comment inside .env, and if the rest of my understanding is correct, also conflicts with the configuration inside docker-compose.yml.

So my question boils down to the following:

  • Should the publisher_jwt and subscriber_jwt values within the Caddyfile indeed contain a cryptographically random value?

  • Should the MERCURE_JWT_SECRET within .env indeed contain a JWT, which should be signed with the cryptographically random publisher_jwt value?

Activity

Jayfrown

Jayfrown commented on Dec 15, 2021

@Jayfrown
Author

Seems related to this: #128

dunglas

dunglas commented on Dec 16, 2021

@dunglas
Owner

So I would take it that these values should be cryptographically random values, which would be used as the secret passphrase to sign and verify JWTs.

Indeed!

MERCURE_JWT_SECRET: a valid Mercure JSON Web Token (JWT) allowing API Platform to publish updates to the hub

This is definitely outdated. This behavior changed in the recent versions of MercureBundle. It's now a secret key that must be set, not a full JWT.

As a summary:

  • We cannot use the same env var for the Mercure hub (the Caddy module) and for the Mercure Bundle (the PHP lib that connects to the hub).
  • CADDY_MERCURE_JWT_SECRET allows setting the secret used by the hub,
  • MERCURE_JWT_SECRET is the one used by the bundle
  • Both values must be a secret key used to sign tokens, not a JWT anymore
Jayfrown

Jayfrown commented on Dec 16, 2021

@Jayfrown
Author

Thanks for clarifying. I'm still a little confused on the following:

We cannot use the same env var for the Mercure hub [..] and for the Mercure Bundle

It seems that the docker-compose.yml configuration conflicts with this, as the CADDY_MERCURE_JWT_SECRET ends up as MERCURE_PUBLISHER_JWT_KEY/MERCURE_SUBSCRIBER_JWT_KEY (used by the hub) as well as MERCURE_JWT_SECRET (used by the bundle)

So if the Mercure hub should have a different secret than the MercureBundle, then which secret holds which purpose? I had initially thought they should be the same secret, so that the hub can verify JWTs generated by the bundle.

dunglas

dunglas commented on Dec 16, 2021

@dunglas
Owner

Yes indeed you're right. I mean that you must pass CADDY_MERCURE_JWT_SECRET to set the proper env vars used by the bundle and by Caddy itself (it's not possible to use the same name everywhere because this would be a conflict).

Jayfrown

Jayfrown commented on Dec 16, 2021

@Jayfrown
Author

Ah!💡

I initially misunderstood what you meant when you said "the same env var". I thought you meant it cannot be the same value.

Thanks again for clearing this up!

added a commit that references this issue on Dec 20, 2021

minor #16293 [Mercure] Compatibility with the Docker integration and …

764d67c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @dunglas@Jayfrown

        Issue actions

          Mercure configuration · Issue #200 · dunglas/symfony-docker