Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow loading of private keys from environment variables instead of files. #43

Open
sheldonjuncker opened this issue Feb 7, 2023 · 2 comments
Open

Allow loading of private keys from environment variables instead of files. #43

sheldonjuncker opened this issue Feb 7, 2023 · 2 comments

Comments

@sheldonjuncker
Copy link

The Apple class accepts a key file path, which makes security more difficult as the keys in my setup need to be stored as environment variables and not committed to the codebase.

I'd suggest allowing the option for passing in an InMemory object directly as this class supports reading from files, strings, and base64 encoded strings.

My workaround is as follows:

 class CustomApple extends Apple {
	 public function getLocalKey(): Key|InMemory
	 {
		 return InMemory::base64Encoded($this->keyFilePath);
	 }
 }

$provider = new CustomApple([
	'clientId' => $_ENV['APPLE_OAUTH_CLIENT_ID'],
	'teamId' => $_ENV['APPLE_OAUTH_TEAM_ID'],
	'keyFileId' => $_ENV['APPLE_OAUTH_KEY_ID'],
	'keyFilePath' => $_ENV['APPLE_OAUTH_KEY_BASE64'],
	'redirectUri' => $_ENV['APPLE_OAUTH_REDIRECT_URI'],
]);
@sheldonjuncker
Copy link
Author

If a reasonable solution is to pass either a string file path or an InMemory object to the constructor, I'd be happy to submit a PR with the fix and update unit tests.

tadaszelvys pushed a commit to tadaszelvys/oauth2-apple that referenced this issue Jun 14, 2023
Fixed headers cannot be passed by reference error patrickbussmann#43
f75fcaa
@jeroendesloovere
Copy link

Hi @sheldonjuncker

I suggest you use an alternative approach.
Instead of keeping the file in the repo (which we obviously do not want), we keep the content of that file in a symfony/secret (which are encrypted).

Then at runtime you let some PHP logic create a file - if it not already exists.

Just add the following above your $provider = new CustomApple([

        $this->createAppleKeyFileIfNotExists();

And provide an .env key using symfony/secrets. In that .env key you provide base64encoded value of the download apple .p8 file. Secure!


    private function getFilePath(): string
    {
        return sprintf(
            '%1$s/AuthKey_%2$s.p8',
            $this->keyFileFolder,
            $this->keyFileId
        );
    }

    private function createAppleKeyFileIfNotExists(): void
    {
        $filesystem = new Filesystem();
        if (!$filesystem->exists($this->getFilePath())) {
            $filesystem->dumpFile($this->getFilePath(), base64_decode($this->keyContentBase64Encoded));
        }
    }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jeroendesloovere @sheldonjuncker