Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

#277: Revert - Make SECRET_SIGN_KEY environment auto-generated on backend start #294

Merged
merged 1 commit into from
Jan 1, 2025
Merged

#277: Revert - Make SECRET_SIGN_KEY environment auto-generated on backend start #294

merged 1 commit into from
Jan 1, 2025

Conversation

AntonioMrtz
Copy link
Owner

Description

Reverts #278

The auto generation of the secret signing key causes 2 problems:

  • Having multiple workers means there are two instances of the app. Each instance has a different signing key and fails when validating signature for a JWT generated by the other instance.
  • Render production server stops backend when 5 minutes passed. This means a new signature key created every time the app is launched from a sleep state.

Why the bug wasn't caught before production deployment

  • Using hot reload in development mode disables workers. This behaviour is produced by FastAPI. Developers usually use ENV_VALUE=DEV, this triggers hot reload mode.
  • FastAPI test client only creates 1 instance of the app. An instance of the app is created in every test suite, but it only interacts with entities created with that instance's JWT.

Commit type

Revert

Issue

#277

Proposed Changes

  • Revert SECRET_KEY_SIGN removal from environment

Potential Impact

Screenshots

Additional Tasks

Assigned

@AntonioMrtz

@AntonioMrtz
revert: "refactor: make SECRET_SIGN_KEY auto-generated on app start u…
809ceea 
…p instead of environment variable | [#277]"

The auto-generation of the secret signing key caused two major issues in production:

1. Multiple workers create separate instances of the app, each with a different signing key.
   This leads to validation failures when one instance tries to validate a JWT generated by another instance.
2. Render's production server sleeps after 5 minutes of inactivity, causing the signing key to be regenerated
   each time the app restarts, invalidating previously issued tokens.

**Why this bug wasn't caught before production:**
- Development mode uses hot reload, which disables workers. As a result, developers using ENV_VALUE=DEV
  only test with a single app instance.
- The FastAPI test client also spawns a single app instance for testing, so the issue was not exposed during testing.

This fix ensures that the JWT signing key is persisted across app instances and restarts.

This reverts commit 2a8505c.
@AntonioMrtz AntonioMrtz added bug Something isn't working backend Backend related issues labels Jan 1, 2025
@AntonioMrtz AntonioMrtz self-assigned this Jan 1, 2025
@AntonioMrtz AntonioMrtz linked an issue Jan 1, 2025 that may be closed by this pull request
Make SECRET_SIGN_KEY environment auto-generated on backend start #277
Closed
@AntonioMrtz AntonioMrtz mentioned this pull request Jan 1, 2025
Closed
@AntonioMrtz AntonioMrtz merged commit 7e65f58 into master Jan 1, 2025
1 check passed
@AntonioMrtz AntonioMrtz deleted the revert/277-make-secret_sign_key-environment-auto-generated-on-backend-start branch January 1, 2025 21:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@AntonioMrtz AntonioMrtz

Labels
backend Backend related issues bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Make SECRET_SIGN_KEY environment auto-generated on backend start
1 participant
@AntonioMrtz