So this is the token-code:

export const s2sSecret: string = Buffer.from(new TextDecoder('utf8').decode(crypto.getRandomValues(new Uint8Array(32)))).toString("base64");
console.log('S2S:', s2sSecret);

I normally import it like that:

import { s2sSecret } from "@/lib/server/constants";

But every time I use it e.g. like this:

if (req.headers.get('Authorization') === `Bearer ${s2sSecret}`) {

It prints a new token (the console.log(...) is just their to prove that something is going south)

Hmm so how often should this secret change? New secret per request? Per build? Same value for the lifetime of the app?

Why are you having this secret here? Knowing its purpose would make it easier to give you directions

I'm making a server-to-server request from the middleware since a lot of things don't work in edge runtime at the moment (and you can't change it in the middleware). I already posted a question on that a few days ago. The token is used to make sure that it is the server itself that makes the request, not somebody else.
It should only change on startup, since the worst that somebody could do with it is to check if a token is valid or not (And i also check if the request is coming from the localhost, so at that point somebody would have already acces to the server, which means that this would be our smallest problem)

just generate a random string and use it as an environment variable.

if you really want it to change every time the server start up, you can dynamically generate the environment variable and use it in the start command

though i doubt rotating the environment variable will help much here, i'd just get a random string and use it as an env var

Oh good idea, thanks

I also stumbled across a solution telling me to use global or globalThis. Does that work to?

i doubt that works because middleware runs on an entirely different runtime form the nodejs route handlers, they don't share the same runtime and don't really share anything with each other

those solutions are there to minimise the number of database connections as much as possible, not guaranteeing there is only one connection at all time

That makes sense, thank you very much

So I tried that. I'm setting them in this function:

export function s2sSecret(): string {
    if (!process.env.S2S_SECRET) {
        process.env.S2S_SECRET = Buffer.from(new TextDecoder('utf8').decode(crypto.getRandomValues(new Uint8Array(32)))).toString("base64");
    }

    return process.env.S2S_SECRET;
}

But it still doesn't work since as it looks this is seperated too (maybe I'm just setting it wrong?)

no you are supposed to set the env var in the .env.local file as any other environment variables

add S2S_SECRET=afjeiuwahglkeawhlkaejkfjawkfkajl to that line and you're good to go

Yes but I wanted to change it on every run

try S2S_SECRET=$(openssl rand -hex 16) next dev then

with next build, next start

inside your package.json

So there is no way to do that in the code?

no because as i told you, middleware and route handlers run on entirely different runtimes, they don't share anything

you can't magically send a variable from the global scope of this side to the global scope of another side

okay, that makes things pretty complicated

But thanks for the help

i don't see why you would need that to change every run by the way

if your env vars are exposed you have more things to worry about than an api route being triggered more often than expected

just keep it simple

Yes but I was worried about that somebody could evesdrop onto a request to the api route and steal the token

no they can't, what happens on the server stays on the server, users cannot inspect whatever the middleware sends

okay thanks

as long as you don't slap NEXT_PUBLIC to the env var, no one will ever know it

unless you expose your .env file in which case you have 100x more problems than just this