start

2026-02-03 22:20:03 -03:00
parent aea93418c5
commit db298babfc
14 changed files with 672 additions and 0 deletions
--- a/commands/generate-keys.sh
+++ b/commands/generate-keys.sh
@@ -0,0 +1,55 @@
+#!/bin/sh
+set -eu
+
+# === config ===
+JWT_EXP_ANON=3600
+JWT_EXP_SERVICE=315360000 # 10 years
+JWT_ISSUER="supabase"
+
+# === helpers ===
+b64url() {
+	openssl base64 -A | tr '+/' '-_' | tr -d '='
+}
+
+jwt_sign() {
+	header=$1
+	payload=$2
+	secret=$3
+
+	header_b64=$(printf '%s' "$header" | b64url)
+	payload_b64=$(printf '%s' "$payload" | b64url)
+
+	sig=$(printf '%s.%s' "$header_b64" "$payload_b64" |
+		openssl dgst -binary -sha256 -hmac "$secret" | b64url)
+
+	printf '%s.%s.%s\n' "$header_b64" "$payload_b64" "$sig"
+}
+
+# === generate JWT secret ===
+JWT_SECRET=$(openssl rand -hex 32)
+
+NOW=$(date +%s)
+
+JWT_HEADER='{"alg":"HS256","typ":"JWT"}'
+
+ANON_PAYLOAD=$(
+	cat <<EOF
+{"role":"anon","iss":"$JWT_ISSUER","iat":$NOW,"exp":$((NOW + JWT_EXP_ANON))}
+EOF
+)
+
+SERVICE_PAYLOAD=$(
+	cat <<EOF
+{"role":"service_role","iss":"$JWT_ISSUER","iat":$NOW,"exp":$((NOW + JWT_EXP_SERVICE))}
+EOF
+)
+
+ANON_KEY=$(jwt_sign "$JWT_HEADER" "$ANON_PAYLOAD" "$JWT_SECRET")
+SERVICE_ROLE_KEY=$(jwt_sign "$JWT_HEADER" "$SERVICE_PAYLOAD" "$JWT_SECRET")
+
+# === output .env-compatible ===
+cat <<EOF
+JWT_SECRET=$JWT_SECRET
+ANON_KEY=$ANON_KEY
+SERVICE_ROLE_KEY=$SERVICE_ROLE_KEY
+EOF