Merge pull request #49 from ElliotThiebaut/support-docker-secrets

luizfonseca · web-flow · commit cee3e7caa283 · 2025-02-27T23:06:23.000+01:00
feat: support file secrets for env variables
diff --git a/README.md b/README.md
@@ -69,6 +69,9 @@ providing a more secure way for users to access protected routes.
 | `SERVER_ADDRESS`             | The server address                                                            | `:80`   | No       |
 | `DEBUG_MODE`                 | Enable debug mode and set log level to debug                                  | `false` | No       |
 | `LOG_LEVEL`                  | The log level, Available values: debug, info, warn, error                     | `info`  | No       |
+You can append `_FILE` to any of the environment variable names to load the value from a file.
+
+E.g. `GITHUB_OAUTH_CLIENT_SECRET_FILE=/run/secrets/github_oauth_client_SECRET` where the content of the file `/run/secrets/github_oauth_client_SECRET` will be used as the environment variable.
 
 ### Middleware Configuration
 
diff --git a/internal/app/traefik-github-oauth-server/config.go b/internal/app/traefik-github-oauth-server/config.go
@@ -19,16 +19,35 @@ type Config struct {
 	GithubOauthScopes       []string
 }
 
+func envFromFile(key string) string {
+	fileEnvKey := key + "_FILE"
+
+	if value := os.Getenv(fileEnvKey); value != "" {
+		content, err := os.ReadFile(value)
+		if err == nil {
+			return strings.TrimSpace(string(content))
+		}
+	}
+	return ""
+}
+
+func envString(key string) string {
+	if value := envFromFile(key); value != "" {
+		return value
+	}
+	return os.Getenv(key)
+}
+
 func envWithDefault(key string, defaultValue string) string {
-	value := os.Getenv(key)
+	value := envString(key)
 	if value == "" {
 		return defaultValue
 	}
 	return value
 }
 
 func githubOauthScopeConfigs() []string {
-	scopesFromEnv := os.Getenv("GITHUB_OAUTH_SCOPES")
+	scopesFromEnv := envString("GITHUB_OAUTH_SCOPES")
 	if scopesFromEnv != "" {
 		return strings.Split(scopesFromEnv, ",")
 	}
@@ -38,13 +57,13 @@ func githubOauthScopeConfigs() []string {
 
 func NewConfigFromEnv() *Config {
 	return &Config{
-		ApiBaseURL:              os.Getenv("API_BASE_URL"),
-		ApiSecretKey:            os.Getenv("API_SECRET_KEY"),
-		ServerAddress:           os.Getenv("SERVER_ADDRESS"),
-		DebugMode:               cast.ToBool(os.Getenv("DEBUG_MODE")),
+		ApiBaseURL:              envString("API_BASE_URL"),
+		ApiSecretKey:            envString("API_SECRET_KEY"),
+		ServerAddress:           envString("SERVER_ADDRESS"),
+		DebugMode:               cast.ToBool(envString("DEBUG_MODE")),
 		LogLevel:                envWithDefault("LOG_LEVEL", "INFO"),
-		GitHubOAuthClientID:     os.Getenv("GITHUB_OAUTH_CLIENT_ID"),
-		GitHubOAuthClientSecret: os.Getenv("GITHUB_OAUTH_CLIENT_SECRET"),
+		GitHubOAuthClientID:     envString("GITHUB_OAUTH_CLIENT_ID"),
+		GitHubOAuthClientSecret: envString("GITHUB_OAUTH_CLIENT_SECRET"),
 		GithubOauthScopes:       githubOauthScopeConfigs(),
 	}
 }
