fefeat: supabase add secrets and change to just ios native auth
This commit is contained in:
parent
67e81d39f3
commit
5c6b4f18eb
5 changed files with 134 additions and 205 deletions
|
|
@ -22,40 +22,6 @@ LOGFLARE_PRIVATE_ACCESS_TOKEN=$LOGFLARE_PRIVATE_ACCESS_TOKEN
|
|||
POSTGRES_BACKEND_URL=postgresql://supabase_admin:$PG_PASS_ENCODED@db:5432/_supabase
|
||||
EOF
|
||||
|
||||
# Apple client-secret is a short-lived JWT signed with the .p8 key downloaded
|
||||
# from Apple Developer. Re-sign on every activation (lifetime 180 days, Apple's
|
||||
# cap) so there is no manual rotation ritual. The SOPS-sourced APPLE_PRIVATE_KEY
|
||||
# is stored as a single line with literal \n separators; python un-escapes it.
|
||||
APPLE_SECRET=""
|
||||
if [ -n "${APPLE_TEAM_ID:-}" ] && [ -n "${APPLE_KEY_ID:-}" ] \
|
||||
&& [ -n "${APPLE_SERVICES_ID:-}" ] && [ -n "${APPLE_PRIVATE_KEY:-}" ]; then
|
||||
APPLE_SECRET=$(
|
||||
APPLE_TEAM_ID="$APPLE_TEAM_ID" \
|
||||
APPLE_KEY_ID="$APPLE_KEY_ID" \
|
||||
APPLE_SERVICES_ID="$APPLE_SERVICES_ID" \
|
||||
APPLE_PRIVATE_KEY="$APPLE_PRIVATE_KEY" \
|
||||
python3 - <<'PY'
|
||||
import base64, json, os, time
|
||||
from cryptography.hazmat.primitives import serialization, hashes
|
||||
from cryptography.hazmat.primitives.asymmetric import ec
|
||||
from cryptography.hazmat.primitives.asymmetric.utils import decode_dss_signature
|
||||
def b64u(b): return base64.urlsafe_b64encode(b).rstrip(b"=").decode()
|
||||
now = int(time.time())
|
||||
header = {"alg": "ES256", "kid": os.environ["APPLE_KEY_ID"], "typ": "JWT"}
|
||||
payload = {"iss": os.environ["APPLE_TEAM_ID"], "iat": now, "exp": now + 86400 * 180,
|
||||
"aud": "https://appleid.apple.com", "sub": os.environ["APPLE_SERVICES_ID"]}
|
||||
parts = (b64u(json.dumps(header, separators=(",", ":")).encode())
|
||||
+ "." + b64u(json.dumps(payload, separators=(",", ":")).encode())).encode()
|
||||
pem = os.environ["APPLE_PRIVATE_KEY"].encode().decode("unicode_escape").encode()
|
||||
key = serialization.load_pem_private_key(pem, password=None)
|
||||
der = key.sign(parts, ec.ECDSA(hashes.SHA256()))
|
||||
r, s = decode_dss_signature(der)
|
||||
raw = r.to_bytes(32, "big") + s.to_bytes(32, "big")
|
||||
print(parts.decode() + "." + b64u(raw))
|
||||
PY
|
||||
)
|
||||
fi
|
||||
|
||||
cat > /run/supabase/auth.env <<EOF
|
||||
GOTRUE_JWT_SECRET=$JWT_SECRET
|
||||
GOTRUE_DB_DATABASE_URL=postgres://supabase_auth_admin:$PG_PASS_ENCODED@db:5432/postgres
|
||||
|
|
@ -63,8 +29,6 @@ GOTRUE_SMTP_USER=${SMTP_USER:-}
|
|||
GOTRUE_SMTP_PASS=${SMTP_PASS:-}
|
||||
GOTRUE_EXTERNAL_GOOGLE_CLIENT_ID=${GOOGLE_CLIENT_ID:-}
|
||||
GOTRUE_EXTERNAL_GOOGLE_SECRET=${GOOGLE_SECRET:-}
|
||||
GOTRUE_EXTERNAL_APPLE_CLIENT_ID=${APPLE_SERVICES_ID:-}
|
||||
GOTRUE_EXTERNAL_APPLE_SECRET=$APPLE_SECRET
|
||||
EOF
|
||||
|
||||
cat > /run/supabase/rest.env <<EOF
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue