From my PR adding support for Json Web Tokens to basic-webserver.
Brendan Hansknecht I wonder if we should show best practices around the secret?
My question is, what is best practice here?
I assume it's reading the secret in from an environment variable, but I'm not 100% sure.
Hoping someone here has some experience with this and can point me in the right direction.
In my experience, they either come from env vars or a service like AWS Secret Manager
Would you say an idiomatic way of doing this in roc using basic-webserver might be something like this inside the init
secret = Env.var "JWT_SECRET" |> Task.onErr! \VarNotFound -> Task.ok "shhh_example_secret"
Storing that in the Model
and then passing it into the respond
with each request.
Yeah, that makes sense. If you’re going to keep it around, I would wrap it in an opaque type so that it can’t be Inspect
ed and accidentally end up in logs
or give it an Inspect
that says (SECRET REDACTED)
so someone doesn't come along later by mistake and add a default Inspect
out of habit :big_smile:
If we want to be really thorough for the example, I would add an extra printout in the onErr
Stderr.line! "Secrets should be set in the environment variable `JWT_SECRET`. For the convenience of the example, we default to some arbitrary text."
I don't know if it happens already, but having basic-webserver (and basic-cli?) read a dotenv file would also be nice for this
They do not currently (unless rust env automatically does that, but I doubt it)
Would be a great issue to open on each repo
Cool, I don't imagine it would be hard to add. There's probably some R&D to figure out a nice idiomatic way to use it.
I'll do it later today and if I find the time maybe create a PR for it
I'm currently wading through the low level mechanics of signature verification algorithms and terminology to wire up a rust library the way I want.
Brendan Hansknecht said:
Would be a great issue to open on each repo
Added issues for webserver and cli
Last updated: Jul 06 2025 at 12:14 UTC