✨ Allow to use STRAVA_CLIENT_SECRET_FILE and STRAVA_REFRESH_TOKEN_FILE instead of STRAVA_CLIENT_SECRET and STRAVA_REFRESH_TOKEN

Author: llaumgui

config/services.yaml

@@ -7,6 +7,8 @@ parameters:
     env(APP_DEBUG): 0
     env(LOCK_DSN): 'flock'
     env(TZ): ''
+    _strava_refresh_token: '%env(string:STRAVA_REFRESH_TOKEN)%'
+    _strava_client_secret: '%env(string:STRAVA_CLIENT_SECRET)%'
 
 services:
     # default configuration for services in *this* file
@@ -156,11 +158,11 @@ services:
 
     App\Domain\Strava\StravaClientSecret:
         factory: [ null, 'fromString' ]
-        arguments: ['%env(string:STRAVA_CLIENT_SECRET)%']
+        arguments: ['%env(default:_strava_client_secret:file:STRAVA_CLIENT_SECRET_FILE)%']
 
     App\Domain\Strava\StravaRefreshToken:
         factory: [ null, 'fromString' ]
-        arguments: ['%env(string:STRAVA_REFRESH_TOKEN)%']
+        arguments: ['%env(default:_strava_refresh_token:file:STRAVA_REFRESH_TOKEN_FILE)%']
 
     App\Domain\Athlete\AthleteBirthDate:
         factory: [ null, 'fromString' ]

docs/getting-started/installation.md

@@ -109,6 +109,12 @@ TZ=Etc/GMT
 # CADDY_LOG_LEVEL=ERROR
 ```
 
+> [!IMPORTANT] Instead of passing secrets directly via the `STRAVA_CLIENT_SECRET` and `STRAVA_REFRESH_TOKEN` environment variables, you can use [Docker Compose secrets](https://docs.docker.com/compose/how-tos/use-secrets/).
+>
+> Define `STRAVA_CLIENT_SECRET_FILE` and `STRAVA_REFRESH_TOKEN_FILE` to point to the secret files (typically located in /run/secrets/). When the standard environment variables are not set, the application will automatically read the values from these files.
+>
+> This approach is recommended when running the application with Docker Compose, as it avoids exposing sensitive values in environment variables.
+
 ## config.yaml
 
 [include](../configuration/config-yaml-example.md ':include')

src/Console/Debug/DebugEnvironmentConsoleCommand.php

@@ -45,8 +45,8 @@ protected function execute(InputInterface $input, OutputInterface $output): int
             ->setRows([
                 ['APP_VERSION', AppVersion::getSemanticVersion()],
                 ['STRAVA_CLIENT_ID', $autoRedactSensitiveInfo ? $redactedString : getenv('STRAVA_CLIENT_ID')],
-                ['STRAVA_CLIENT_SECRET', $autoRedactSensitiveInfo ? $redactedString : getenv('STRAVA_CLIENT_SECRET')],
-                ['STRAVA_REFRESH_TOKEN', $autoRedactSensitiveInfo ? $redactedString : getenv('STRAVA_REFRESH_TOKEN')],
+                ['STRAVA_CLIENT_SECRET', $autoRedactSensitiveInfo ? $redactedString : $this->getenvOrFile('STRAVA_CLIENT_SECRET')],
+                ['STRAVA_REFRESH_TOKEN', $autoRedactSensitiveInfo ? $redactedString : $this->getenvOrFile('STRAVA_REFRESH_TOKEN')],
                 ['TZ', getenv('TZ')],
             ]);
         $table->render();
@@ -66,4 +66,19 @@ protected function execute(InputInterface $input, OutputInterface $output): int
 
         return Command::SUCCESS;
     }
+
+    protected function getenvOrFile(string $var): ?string
+    {
+        $value = getenv($var);
+        if (false !== $value && '' !== $value) {
+            return $value;
+        }
+
+        $file = getenv($var.'_FILE');
+        if ($file && is_readable($file)) {
+            return trim((string) file_get_contents($file));
+        }
+
+        return null;
+    }
 }