4

I'm trying to use express-stormpath on my Heroku app. I'm following the docs here, and my code is super simple:

var express = require('express');
var app = express();
var stormpath = require('express-stormpath');

app.use(stormpath.init(app, {
  website: true
}));

app.on('stormpath.ready', function() {
  app.listen(3000);
});

I've already looked at this question and followed the Heroku devcenter docs. The docs say that for an Heroku app, it's not necessary to pass in options, but I've still tried passing in options and nothing works. For example, I've tried this:

app.use(stormpath.init(app, {
   // client: {
   //   file: './xxx.properties'
   // },
   client: {
     apiKey: {
       file: './xxx.properties',
       id: process.env.STORMPATH_API_KEY_ID || 'xxx',
       secret: process.env.STORMPATH_API_KEY_SECRET || 'xxx'    
     }
   },
   application: {
     href: 'https://api.stormpath.com/v1/applications/blah'
   },
}));

To try and see what's going on, I added a console.log line to the stormpath-config strategy valdiator to print the client object, and it gives me this:

{ file: './apiKey-xxx.properties',
  id: 'xxx',
  secret: 'xxx' }
{ file: null, id: null, secret: null }

Error: API key ID and secret is required.

Why is it getting called twice, and the second time around, why does the client object have null values for the file, id and secret?

When I run heroku config | grep STORMPATH, I get

STORMPATH_API_KEY_ID:     xxxx
STORMPATH_API_KEY_SECRET: xxxx
STORMPATH_URL:    https://api.stormpath.com/v1/applications/[myappurl]
Community
  • 1
  • 1
arete
  • 711
  • 6
  • 8
  • What is the output of `heroku config | grep STORMPATH`? It may be that the wrong environment variables are being populated in Heroku. – Nate Barbettini Jul 06 '16 at 06:15
  • Edited - env variables look properly set, but ValidateClientConfigStrategy.js is still printing `{ file: null, id: null, secret: null }` – arete Jul 06 '16 at 06:59
  • Can you try using `heroku config:set` ([docs](https://devcenter.heroku.com/articles/config-vars#setting-up-config-vars-for-a-deployed-application)) to set these environment variables instead: `STORMPATH_CLIENT_APIKEY_ID`, `STORMPATH_CLIENT_APIKEY_SECRET`, `STORMPATH_APPLICATION_HREF` – Nate Barbettini Jul 06 '16 at 16:49
  • still no. `heroku config | grep STORMPATH` now shows: `STORMPATH_API_KEY_ID: xxx` `STORMPATH_API_KEY_SECRET: xxx` `STORMPATH_APPLICATION_HREF: https://api.stormpath.com/v1/applications/blah` `STORMPATH_CLIENT_APIKEY_ID: xxx` `STORMPATH_CLIENT_APIKEY_SECRET: xxx` `STORMPATH_URL: https://api.stormpath.com/v1/applications/blah` – arete Jul 06 '16 at 18:40
  • Can you try deploying one of our example applications, using only environment variables (no custom config)? I'd like to know how that goes. For example: https://github.com/stormpath/express-stormpath-sample-project – robertjd Jul 06 '16 at 21:09

2 Answers2

2

After endless hours, I managed to finally get it working by removing the add-on entirely and re-installing it via the Heroku CLI and then exporting variables STORMPATH_CLIENT_APIKEY_ID and STORMPATH_CLIENT_APIKEY_SECRET. For some reason, installing it via the Heroku Dashboard causes express-stormpath to not find the apiKey and secret fields (even if you export variables).

arete
  • 711
  • 6
  • 8
2

I'm the original author of the express-stormpath library, and also wrote the Heroku documentation for Stormpath.

This is 100% my fault, and is a documentation / configuration bug on Stormpath's side of things.

Back in the day, all of our libraries looked for several environment variables by default:

  • STORMPATH_URL (your Application URL)
  • STORMPATH_API_KEY_ID
  • STORMPATH_API_KEY_SECRET

However, a while ago, we started upgrading our libraries, and realized that we wanted to go with a more standard approach across all of our supported languages / frameworks / etc. In order to make things more explicit, we essentially renamed the variables we look for by default, to:

  • STORMPATH_APPLICATION_HREF
  • STORMPATH_CLIENT_APIKEY_ID
  • STORMPATH_CLIENT_APIKEY_SECRET

Unfortunately, we did not yet update our Heroku integration or documentation to reflect these changes, which is why you just ran into this nasty issue.

I just submitted a ticket to our Engineering team to fix the names of the variables that our Heroku addon provisions by default to include our new ones, and I'm going to be updating our Heroku documentation later this afternoon to fix this for anyone else in the future.

I'm sincerely sorry about all the confusion / frustration. Sometimes these things slip through the cracks, and experiences like this make me realize we need better testing in place to catch this stuff earlier.

I'll be working on some changes internally to make sure we have a better process around rolling out updates like this one.

If you want a free Stormpath t-shirt, hit me up and I'll get one shipped out to you as a small way to say 'thanks' for putting up with the annoyance: randall@stormpath.com

rdegges
  • 32,786
  • 20
  • 85
  • 109
  • I seem to be having the same problem, but I am not using Heroku, just a local express app, following the example found here: https://stormpath.com/blog/making-expressjs-authentication-fun-again. The same debugging has led me to the strategy validator being called twice, with the correct data appearing the first time and the data all being null the second time. – Carasel Jul 09 '16 at 16:21
  • So how to deal with the API key pair? I downloaded it and totally have no idea even after reading the tutorials, thanks. – Samoth Feb 10 '17 at 05:39