Lexikjwtauthenticationbundle: How to deploy securely using github and Heroku?

Created on 25 Mar 2019  路  2Comments  路  Source: lexik/LexikJWTAuthenticationBundle

Apologies if this is a FAQ, I'm new to this and it's better to be careful with security.

I have a project built using API Platform, using JWT for authentication. So in my .env file I have JWT_SECRET_KEY, JWT_PUBLIC_KEY and JWT_PASSPHRASE config. My project is on Github with a pipeline set up to deploy on Heroku.

Currently it's a private project, so that's all safe, but while it works in development on Docker it's not currently working when deployed to Heroku:

Uncaught PHP Exception Lexik\Bundle\JWTAuthenticationBundle\Exception\JWTEncodeFailureException: "Unable to create a signed JWT from the given configuration." at /app/vendor/lexik/jwt-authentication-bundle/Encoder/LcobucciJWTEncoder.php line 41

Any suggestions for how I might have misconfigured the deployment?

In case it's relevant, in time I want to make the github repository public. It doesn't feel great to have an open github project with my passphrase and private key files. What is the recommended approach to this - should I be generating the keys as part of deploying? Doing that correctly might also resolve whatever the problem is here.

Support

Most helpful comment

After further experimentation, this works to generate new keys on install.

        "post-install-cmd": [
            "@auto-scripts",
            "chmod -R 777 public/",
            "chmod -R 777 config/",
            "mkdir -p config/jwt",
            "openssl genrsa -out config/jwt/private.pem 4096",
            "openssl rsa -pubout -in config/jwt/private.pem -out config/jwt/public.pem"
        ],

All 2 comments

After further experimentation, this works to generate new keys on install.

        "post-install-cmd": [
            "@auto-scripts",
            "chmod -R 777 public/",
            "chmod -R 777 config/",
            "mkdir -p config/jwt",
            "openssl genrsa -out config/jwt/private.pem 4096",
            "openssl rsa -pubout -in config/jwt/private.pem -out config/jwt/public.pem"
        ],

Closing as solved, thank you for sharing your solution.

Was this page helpful?
0 / 5 - 0 ratings

Related issues

tahina4 picture tahina4  路  4Comments

kemicofa picture kemicofa  路  5Comments

tsdevelopment picture tsdevelopment  路  4Comments

christophe-mailfert picture christophe-mailfert  路  5Comments

ghost picture ghost  路  5Comments