thomastospace, 30 days ago

@ramsey If I recall correctly, don't quote me on this, that the APP_SECRET Is also used for 'remember me' tokens. So if it leaks, you can get into any account.

Which yeah.. It needs to be in .env.local instead at the very least.

pieceofthepie, 30 days ago

@ramsey the .env file should contain local development settings and IIRC the secret is needed just to function.

You're not supposed to put production secrets in there cause they're supposed to go in a .env.local or a .env.ENVIRONMENT_NAME.

Took me a good bit of time and plenty of reading of the docs but it all kinda makes sense.

ramsey, 30 days ago

@pieceofthepie I haven’t found anything that explains what APP_SECRET is used for, nor have I found any docs that say it needs to be regenerated for production

pieceofthepie, 30 days ago

@ramsey yeah, that is weirdly hard to track down :S

Symfony does have some oddities.

https://symfony.com/doc/current/reference/configuration/framework.html#secret

ramsey, 30 days ago

@pieceofthepie How am I supposed to know APP_SECRET maps to that?!

pieceofthepie, 30 days ago

@ramsey I think for the most part you'll want to look at the actual config files as the env vars are used in there.

https://github.com/symfony/demo/blob/a53f9304bd9b1ded5a44a3de51263a7de62a50d4/config/packages/framework.yaml#L3

manal, 1 month ago

@ramsey
@nicolasgrekas explains why here : https://github.com/symfony/symfony/issues/38021

ramsey, 1 month ago

@manal @nicolasgrekas I think that should be explained in a comment in the .env file (or at least linked to from there). I have no idea how the value is used, so I assumed it was a “dummy” value. I was planning to push this code as a public repo, but I guess it’s not wise to leave that value in there?

alessandrolai, 1 month ago

@ramsey @manal @nicolasgrekas well it's not sensible if it's used only locally, and then you use a .env.prod or (better) inject a real env variable in your prod environment.

In any case, you can suggest changes to this (like adding the link above in the default .env) in the recipes repo: https://github.com/symfony/recipes/tree/main/symfony/framework-bundle

ramsey, 1 month ago

Speaking of #Symfony, this PSR-15 middleware bundle for Symfony looks pretty cool. #PHP

https://github.com/kafkiansky/symfony-middleware

jaapio, 1 month ago

@ramsey downside... It's not a glue between symfony and existing middleware, which kinda defeats the purpose of psr?

ramsey, 1 month ago

@jaapio Oh, I must have misunderstood it, then. Oops!😬

ramsey, 30 days ago

@jaapio I’ve been looking into this more, and I’m not sure what you mean by “it’s not a glue between symfony and existing middleware.” That’s exactly what it looks like, to me.

It allows you to use anything that implements Psr\Http\Server\MiddlewareInterface as middleware in Symfony, so any existing middleware should work.

jaapio, 30 days ago

@ramsey oh, that's interesting! I didn't get at my first look. I was wrong. Sorry about that.

Crell, 1 month ago

@ramsey I believe it's used for a security key, much like the Laravel equivalent.

Symfony does some very dumb things with env files.

ramsey, 1 month ago

@Crell Shouldn’t they explain what it’s used for and that you should regenerate it for production?

jaapio, 1 month ago

@ramsey @Crell it's used for some hashing and random generation. Yes it's odd that they add a default value.

The env files and the way they are loaded can be a beast. But many other frameworks are doing it this way.

tobiaskoengeter, 1 month ago

@Crell @ramsey please tell us more about the dumb things.

ntha, 1 month ago

@tobiaskoengeter @Crell @ramsey My brief experience with Symfony was that Symfony likes defining routes and actions in a YAML file, which means of course I have no editor support and can't just go-to-definition of anything, having to always search for things manually. Horrible user experience.

ramsey, 30 days ago

@ntha @tobiaskoengeter @Crell You can use attributes to define routes, now, and you don’t have to use YAML for configs; you can use PHP instead.

Crell, 30 days ago

@tobiaskoengeter @ramsey The entire "commit your .env to use for some app settings, but also have a .env.actual-env that you don't commit that has env-sensitive stuff" is completely broken.

The whole point of a .env is to hold env-specific, non-committed stuff. If it should be consistent between instances, it should be in a config file, NOT an .env.

If you're committing .env to Git, you're wrong. End of story. Symfony wants you to do so. Thus Symfony is wrong.

tobiaskoengeter, 29 days ago

@Crell @ramsey I understand your point! I think there are several things mixed up in the .env: on the one hand, it is a kind of template that only describes what should be defined in the environment. The file could therefore also be called .env.boilerplate or .env.example. On the other hand, it also contains real information and is therefore not a template - which actually makes it inconsistent.

tobiaskoengeter, 29 days ago

@Crell @ramsey Even though I hate to say it, Laravel's logic is a little better here: during installation, the .env.example is taken as the basis and copied as .env.

ramsey, 29 days ago

@tobiaskoengeter @Crell Yep. This is how it should be. And then, that .env file is ignored in .gitignore.

Crell, 29 days ago

@ramsey @tobiaskoengeter This is the Way.