updated self host vars, reduced the number of required env vars

fomalhautb · fomalhautb · commit 55a6309277f4 · 2024-12-08T16:29:08.000-08:00
diff --git a/apps/backend/.env b/apps/backend/.env
@@ -1,7 +1,7 @@
 # Basic
 NEXT_PUBLIC_STACK_API_URL=# the base URL of Stack's backend/API. For local development, this is `http://localhost:8102`; for the managed service, this is `https://api.stack-auth.com`.
 NEXT_PUBLIC_STACK_DASHBOARD_URL=# the URL of Stack's dashboard. For local development, this is `http://localhost:8101`; for the managed service, this is `https://app.stack-auth.com`.
-STACK_SERVER_SECRET=# a random, unguessable secret key generated by `pnpm generate-keys`
+STACK_SECRET_SERVER_KEY=# a random, unguessable secret key generated by `pnpm generate-keys`
 
 # seed script settings
 STACK_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=# true to add OTP auth to the dashboard when seeding
diff --git a/apps/backend/prisma/seed.ts b/apps/backend/prisma/seed.ts
@@ -18,10 +18,13 @@ async function seed() {
   const dashboardDomain = process.env.NEXT_PUBLIC_STACK_DASHBOARD_URL;
   const oauthProviderIds = process.env.STACK_SEED_INTERNAL_PROJECT_OAUTH_PROVIDERS?.split(',') ?? [];
   const otpEnabled = process.env.STACK_SEED_INTERNAL_PROJECT_OTP_ENABLED === 'true';
-  const signUpEnabled = process.env.STACK_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED === 'true';
+  const signUpEnabled = process.env.STACK_SEED_INTERNAL_PROJECT_SIGN_UP_DISABLED !== 'true';
   const allowLocalhost = process.env.STACK_SEED_INTERNAL_PROJECT_ALLOW_LOCALHOST === 'true';
   const clientTeamCreation = process.env.STACK_SEED_INTERNAL_PROJECT_CLIENT_TEAM_CREATION === 'true';
 
+  const apiKeyId = '3142e763-b230-44b5-8636-aa62f7489c26';
+  const defaultUserId = '33e7c043-d2d1-4187-acd3-f91b5ed64b46';
+
   let internalProject = await prisma.project.findUnique({
     where: {
       id: 'internal',
@@ -38,20 +41,9 @@ async function seed() {
         displayName: 'Stack Dashboard',
         description: 'Stack\'s admin dashboard',
         isProductionMode: false,
-        apiKeySets: {
-          create: [{
-            description: "Internal API key set",
-            // These keys must match the values used in the Stack dashboard env to be able to login via the UI.
-            publishableClientKey: process.env.STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY is not set'),
-            secretServerKey: process.env.STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY is not set'),
-            superSecretAdminKey: process.env.STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY is not set'),
-            expiresAt: new Date('2099-12-31T23:59:59Z'),
-          }],
-        },
         config: {
           create: {
             allowLocalhost: true,
-            signUpEnabled,
             emailServiceConfig: {
               create: {
                 proxiedEmailServiceConfig: {
@@ -123,14 +115,42 @@ async function seed() {
     console.log('Internal project created');
   }
 
+  if (internalProject.config.signUpEnabled !== signUpEnabled) {
+    await prisma.projectConfig.update({
+      where: {
+        id: internalProject.configId,
+      },
+      data: {
+        signUpEnabled,
+      }
+    });
+
+    console.log(`Updated signUpEnabled for internal project: ${signUpEnabled}`);
+  }
+
+  await prisma.apiKeySet.upsert({
+    where: { projectId_id: { projectId: 'internal', id: apiKeyId } },
+    update: {},
+    create: {
+      id: apiKeyId,
+      projectId: 'internal',
+      description: "Internal API key set",
+      // These keys must match the values used in the Stack dashboard env to be able to login via the UI.
+      publishableClientKey: process.env.STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY is not set'),
+      secretServerKey: process.env.STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY is not set'),
+      superSecretAdminKey: process.env.STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY || throwErr('STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY is not set'),
+      expiresAt: new Date('2099-12-31T23:59:59Z'),
+    }
+  });
+
   // Create optional default admin user if credentials are provided.
   // This user will be able to login to the dashboard with both email/password and magic link.
   if ((adminEmail && adminPassword) || adminGithubId) {
     await prisma.$transaction(async (tx) => {
       const oldAdminUser = await tx.projectUser.findFirst({
         where: {
           projectId: 'internal',
-          projectUserId: '33e7c043-d2d1-4187-acd3-f91b5ed64b46'
+          projectUserId: defaultUserId
         }
       });
 
@@ -140,7 +160,7 @@ async function seed() {
         const newUser = await tx.projectUser.create({
           data: {
             displayName: 'Administrator (created by seed script)',
-            projectUserId: '33e7c043-d2d1-4187-acd3-f91b5ed64b46',
+            projectUserId: defaultUserId,
             projectId: 'internal',
             serverMetadata: adminInternalAccess
               ? { managedProjectIds: ['internal'] }
diff --git a/docker/server/.env b/docker/server/.env
@@ -1,13 +1,9 @@
 NEXT_PUBLIC_STACK_API_URL=# https://your-backend-domain.com
 NEXT_PUBLIC_STACK_DASHBOARD_URL=# https://your-dashboard-domain.com, this will be added as a trusted domain by the seed script
-STACK_SEED_INTERNAL_PROJECT_ALLOW_LOCALHOST=# if true, the internal dashboard project will allow localhost as a trusted domain. Do not set this to true in production.
 
 STACK_DATABASE_CONNECTION_STRING=# postgres connection string with pooler
 STACK_DIRECT_DATABASE_CONNECTION_STRING=# postgres direct connection string
 
-NEXT_PUBLIC_STACK_PROJECT_ID=internal
-NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=# a secure random string
-STACK_SECRET_SERVER_KEY=# a secure random string
 STACK_SERVER_SECRET=# a 32 bytes base64url encoded random string, used for JWT encryption. can be generated with `pnpm generate-keys`
 
 # seed script settings
@@ -33,5 +29,5 @@ STACK_SVIX_SERVER_URL=# this is only needed if you self-host the Svix service
 STACK_SVIX_API_KEY=
 
 
-STACK_RUN_MIGRATIONS=true
-STACK_RUN_SEED_SCRIPT=true
+STACK_SKIP_MIGRATIONS=# true to skip prisma migrations
+STACK_SKIP_SEED_SCRIPT=# true to skip the seed script
diff --git a/docker/server/.env.example b/docker/server/.env.example
@@ -4,13 +4,10 @@ NEXT_PUBLIC_STACK_DASHBOARD_URL=http://localhost:8101
 STACK_DATABASE_CONNECTION_STRING=postgres://postgres:PASSWORD-PLACEHOLDER--uqfEC1hmmv@host.docker.internal:5432/stackframe
 STACK_DIRECT_DATABASE_CONNECTION_STRING=postgres://postgres:PASSWORD-PLACEHOLDER--uqfEC1hmmv@host.docker.internal:5432/stackframe
 
-STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
-STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
-STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo
+STACK_SERVER_SECRET=23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo
+
 STACK_SEED_INTERNAL_PROJECT_ALLOW_LOCALHOST=true
-STACK_SEED_INTERNAL_PROJECT_USER_EMAIL=admin@email.com
-STACK_SEED_INTERNAL_PROJECT_USER_PASSWORD=password
-STACK_SEED_INTERNAL_PROJECT_USER_INTERNAL_ACCESS=false
+STACK_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=true
 
 STACK_RUN_MIGRATIONS=true
 STACK_RUN_SEED_SCRIPT=true
diff --git a/docker/server/entrypoint.sh b/docker/server/entrypoint.sh
@@ -2,25 +2,29 @@
 
 set -e
 
+export STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY=$(openssl rand -base64 32)
+export STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY=$(openssl rand -base64 32)
+export STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY=$(openssl rand -base64 32)
+
 export NEXT_PUBLIC_STACK_PROJECT_ID=internal
 export NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=${STACK_SEED_INTERNAL_PROJECT_PUBLISHABLE_CLIENT_KEY}
 export STACK_SECRET_SERVER_KEY=${STACK_SEED_INTERNAL_PROJECT_SECRET_SERVER_KEY}
 export STACK_SUPER_SECRET_ADMIN_KEY=${STACK_SEED_INTERNAL_PROJECT_SUPER_SECRET_ADMIN_KEY}
 
-if [ "$STACK_RUN_MIGRATIONS" = "true" ]; then
+if [ "$STACK_SKIP_MIGRATIONS" = "true" ]; then
+  echo "Skipping migrations."
+else
   echo "Running migrations..."
   prisma migrate deploy --schema=./apps/backend/prisma/schema.prisma
-else
-  echo "Skipping migrations."
 fi
 
-if [ "$STACK_RUN_SEED_SCRIPT" = "true" ]; then
+if [ "$STACK_SKIP_SEED_SCRIPT" = "true" ]; then
+  echo "Skipping seed script."
+else
   echo "Running seed script..."
   cd apps/backend
   node seed.js
   cd ../..
-else
-  echo "Skipping seed script."
 fi
 
 # Start backend and dashboard in parallel
diff --git a/examples/demo/.env b/examples/demo/.env
@@ -1,4 +1,3 @@
 NEXT_PUBLIC_STACK_API_URL=# enter your stack endpoint here, e.g. http://localhost:8102
 NEXT_PUBLIC_STACK_PROJECT_ID=# enter your stack project id here
 NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=# enter your stack publishable client key here
-STACK_SECRET_SERVER_KEY=# enter your stack secret server key here
diff --git a/examples/demo/.env.development b/examples/demo/.env.development
@@ -3,4 +3,4 @@
 NEXT_PUBLIC_STACK_API_URL=http://localhost:8102
 NEXT_PUBLIC_STACK_PROJECT_ID=internal
 NEXT_PUBLIC_STACK_PUBLISHABLE_CLIENT_KEY=this-publishable-client-key-is-for-local-development-only
-STACK_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
+STACK_SECRET_SERVER_KEY=this-secret-server-key-is-for-local-development-only
diff --git a/examples/supabase/package.json b/examples/supabase/package.json
@@ -3,7 +3,8 @@
   "version": "2.6.34",
   "private": true,
   "scripts": {
-    "dev": "next dev --port 8115",
+    "dev": "next dev --turbo --port 8103",
+    "clean": "rimraf .next && rimraf node_modules",
     "build": "next build",
     "start": "next start"
   },
@@ -12,7 +13,7 @@
     "@supabase/ssr": "latest",
     "@supabase/supabase-js": "latest",
     "jose": "^5.2.2",
-    "next": "latest",
+    "next": "^15.0.3",
     "react": "18.2.0",
     "react-dom": "18.2.0"
   },
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
