Open
Conversation
added 16 commits
March 24, 2026 14:20
…_secrets Implements the Cloudflare secret store adapter backed by worker::Env::secret(). Adds dispatch_with_secrets and dispatch_with_kv_and_secrets dispatch functions, and updates run_app to wire secrets through on every request.
- Prevent secret name leakage: NotFound/Validation/Internal errors now return generic messages with no secret identifiers in response bodies - Enforce consistent adapter opt-in: secret_store_enabled(adapter) replaces stores.secrets.is_some() so per-adapter enabled=false is respected - Fix Fastly SDK panic path: try_get/try_plaintext replace get/plaintext - Add manifest-level enabled flag with per-adapter override support - Fix EnvSecretStore: use var_os on unix for binary secret support - Serialize env-mutation tests with tokio::sync::Mutex + RAII EnvOverride - Add adapter-specific CLI build messages for secret store bindings
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
…tore + SecretHandle Replace the redundant single-arg SecretStore / SecretHandle pair and the two-arg SecretStoreProvider / SecretProviderHandle pair with a single two-arg SecretStore trait and SecretHandle wrapper, matching the KvStore / KvHandle naming convention. All adapters now implement SecretStore with get_bytes(store_name, key). Fastly opens a named store per lookup (FastlyNamedStore internal helper); Cloudflare and Axum ignore store_name (flat namespaces). InMemorySecretStore and NoopSecretStore are the test/noop implementations.
Contributor
ChristianPavilonis
left a comment
ChristianPavilonis
left a comment
There was a problem hiding this comment.
PR Review: Add provider-neutral secret store support
Overall: Well-structured implementation that cleanly mirrors the KV store pattern. Security hardening is thoughtful (sanitized errors, name validation, demo handler allowlisting). Comprehensive test coverage across all adapters. A few API design and code duplication issues worth addressing.
CI: All checks passing.
Findings: 3 High, 7 Medium, 4 Low (details in inline comments below)
Positives
- Excellent security hardening — secret names sanitized in error conversion, verified by tests
- Clean architectural parity with KV store pattern
validate_namerejects empty, control-char, and oversized names- Demo handler allowlist prevents secret exfiltration
- Comprehensive test coverage (460+ lines, contract tests, TCP integration tests)
- Proper
#[must_use]on builder methods
- Consolidate dispatch: both adapters now resolve handles in run_app and call dispatch_with_handles directly; promotes resolve_kv_handle, resolve_secret_handle, dispatch_with_handles to pub(crate) - Remove dead _secret_binding param from Cloudflare dispatch_with_kv_and_secrets - Replace DummyKvStore with NoopKvStore in both adapter store_handles tests - Extract shared EnvOverride + env_guard into axum test_utils module - Export NoopKvStore under test-utils feature to match secret-store pattern - Add doc comments to RequestContext::kv_handle and secret_handle - Add GHAS safety comment to Secrets::from_request in extractor.rs - Document breaking-change on run_app for both Fastly and Cloudflare adapters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
[stores.secrets]configuration into each adapter while preserving the existing low-level manual dispatch behavior.Design
SecretStoreis a single two-argument trait —get_bytes(store_name, key)— mirroring theKvStore/KvHandlenaming convention.SecretHandleis the ergonomic cloneable wrapper injected into request context. Platforms with named secret stores (Fastly) usestore_nameto open the right store; Cloudflare and Axum ignore it (flat namespaces).Changes
crates/edgezero-coreSecretStoretrait (get_bytes(store_name, key)),SecretHandlewrapper, sanitizedSecretErrormapping, request-context/extractor support,InMemorySecretStore+NoopSecretStoretest helpers,secret_store_contract_tests!macro, and[stores.secrets]manifest schema with adapter overrides.crates/edgezero-adapter-fastlyFastlySecretStore(opens a named Fastly SecretStore per lookup), manifest-aware secret wiring, and a private shared store-handle injection path for KV + secrets.crates/edgezero-adapter-cloudflareCloudflareSecretStore(ignores store name; flat namespace), manifest-aware secret wiring, and a private shared store-handle injection path for KV + secrets.crates/edgezero-adapter-axumEnvSecretStore(reads from env vars; ignores store name), service/dev-server secret injection, and TCP integration tests for secret-present / missing / no-store cases.crates/edgezero-cli/src/main.rsedgezero build.examples/app-demo/crates/app-demo-core/src/handlers.rssecrets_echodemo handler with allowlisted smoke-test keys and tests for success, sanitized failure, and invalid input.examples/app-demo/edgezero.toml[stores.secrets]configuration.examples/app-demo/crates/app-demo-adapter-fastly/fastly.tomlscripts/smoke_test_secrets.shdocs/guide/configuration.md[[environment.secrets]].Closes
Closes #59
Test plan
cargo test --workspace --all-targetscargo clippy --workspace --all-targets --all-features -- -D warningscargo check --workspace --all-targets --features "fastly cloudflare"wasm32-wasip1(Fastly) /wasm32-unknown-unknown(Cloudflare)edgezero-cli devcargo test -p app-demo-core,bash -n scripts/smoke_test_secrets.sh,./docs/node_modules/.bin/prettier --check docs/guide/configuration.md,npm --prefix docs run buildChecklist
{id}syntax (not:id)edgezero_core(nothttpcrate)