Stream: beginners

Topic: secret management

view this post on Zulip Luke Boswell (Sep 02 2024 at 23:12):

From my PR adding support for Json Web Tokens to basic-webserver.

Brendan Hansknecht I wonder if we should show best practices around the secret?

My question is, what is best practice here?

I assume it's reading the secret in from an environment variable, but I'm not 100% sure.

Hoping someone here has some experience with this and can point me in the right direction.

view this post on Zulip Agus Zubiaga (Sep 02 2024 at 23:27):

In my experience, they either come from env vars or a service like AWS Secret Manager

view this post on Zulip Luke Boswell (Sep 02 2024 at 23:31):

Would you say an idiomatic way of doing this in roc using basic-webserver might be something like this inside the init

secret = Env.var "JWT_SECRET" |> Task.onErr! \VarNotFound -> Task.ok "shhh_example_secret"

Storing that in the Model and then passing it into the respond with each request.

view this post on Zulip Agus Zubiaga (Sep 02 2024 at 23:38):

Yeah, that makes sense. If you’re going to keep it around, I would wrap it in an opaque type so that it can’t be Inspected and accidentally end up in logs

view this post on Zulip Richard Feldman (Sep 03 2024 at 00:44):

or give it an Inspect that says (SECRET REDACTED) so someone doesn't come along later by mistake and add a default Inspect out of habit :big_smile:

view this post on Zulip Brendan Hansknecht (Sep 03 2024 at 02:20):

If we want to be really thorough for the example, I would add an extra printout in the onErr

view this post on Zulip Brendan Hansknecht (Sep 03 2024 at 02:21):

Stderr.line! "Secrets should be set in the environment variable `JWT_SECRET`. For the convenience of the example, we default to some arbitrary text."

view this post on Zulip Kilian Vounckx (Sep 03 2024 at 05:37):

I don't know if it happens already, but having basic-webserver (and basic-cli?) read a dotenv file would also be nice for this

view this post on Zulip Brendan Hansknecht (Sep 03 2024 at 05:38):

They do not currently (unless rust env automatically does that, but I doubt it)

view this post on Zulip Brendan Hansknecht (Sep 03 2024 at 05:38):

Would be a great issue to open on each repo

view this post on Zulip Luke Boswell (Sep 03 2024 at 05:40):

Cool, I don't imagine it would be hard to add. There's probably some R&D to figure out a nice idiomatic way to use it.

view this post on Zulip Kilian Vounckx (Sep 03 2024 at 05:40):

I'll do it later today and if I find the time maybe create a PR for it

view this post on Zulip Luke Boswell (Sep 03 2024 at 05:40):

I'm currently wading through the low level mechanics of signature verification algorithms and terminology to wire up a rust library the way I want.

view this post on Zulip Kilian Vounckx (Sep 03 2024 at 08:15):

Brendan Hansknecht said:

Would be a great issue to open on each repo

Added issues for webserver and cli

Last updated: Nov 09 2025 at 12:14 UTC