suitenumerique · soyouzpanda · Apr 28, 2025 · Apr 29, 2025
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -24,7 +24,8 @@ and this project adheres to
 - ✅(frontend) Improve tests coverage
 - ⬆️(docker) upgrade backend image to python 3.13 #973
 - ⬆️(docker) upgrade node images to alpine 3.21
-
+- ✨(backend) support `_FILE` environment variables for secrets #912
+- ✨(frontend) support `_FILE` environment variables for secrets #912
 
 ### Removed
 

diff --git a/src/backend/impress/settings.py b/src/backend/impress/settings.py
@@ -18,6 +18,7 @@
 
 import sentry_sdk
 from configurations import Configuration, values
+from lasuite.configuration.values import SecretFileValue
 from sentry_sdk.integrations.django import DjangoIntegration
 from sentry_sdk.integrations.logging import ignore_logger
 
@@ -65,7 +66,7 @@ class Base(Configuration):
 
     # Security
     ALLOWED_HOSTS = values.ListValue([])
-    SECRET_KEY = values.Value(None)
+    SECRET_KEY = SecretFileValue(None)
     SERVER_TO_SERVER_API_TOKENS = values.ListValue([])
 
     # Application definition
@@ -84,7 +85,7 @@ class Base(Configuration):
                 "impress", environ_name="DB_NAME", environ_prefix=None
             ),
             "USER": values.Value("dinum", environ_name="DB_USER", environ_prefix=None),
-            "PASSWORD": values.Value(
+            "PASSWORD": SecretFileValue(
                 "pass", environ_name="DB_PASSWORD", environ_prefix=None
             ),
             "HOST": values.Value(
@@ -122,10 +123,10 @@ class Base(Configuration):
     AWS_S3_ENDPOINT_URL = values.Value(
         environ_name="AWS_S3_ENDPOINT_URL", environ_prefix=None
     )
-    AWS_S3_ACCESS_KEY_ID = values.Value(
+    AWS_S3_ACCESS_KEY_ID = SecretFileValue(
         environ_name="AWS_S3_ACCESS_KEY_ID", environ_prefix=None
     )
-    AWS_S3_SECRET_ACCESS_KEY = values.Value(
+    AWS_S3_SECRET_ACCESS_KEY = SecretFileValue(
         environ_name="AWS_S3_SECRET_ACCESS_KEY", environ_prefix=None
     )
     AWS_S3_REGION_NAME = values.Value(
@@ -384,7 +385,7 @@ class Base(Configuration):
     EMAIL_BRAND_NAME = values.Value(None)
     EMAIL_HOST = values.Value(None)
     EMAIL_HOST_USER = values.Value(None)
-    EMAIL_HOST_PASSWORD = values.Value(None)
+    EMAIL_HOST_PASSWORD = SecretFileValue(None)
     EMAIL_LOGO_IMG = values.Value(None)
     EMAIL_PORT = values.PositiveIntegerValue(None)
     EMAIL_USE_TLS = values.BooleanValue(False)
@@ -407,7 +408,7 @@ class Base(Configuration):
     COLLABORATION_API_URL = values.Value(
         None, environ_name="COLLABORATION_API_URL", environ_prefix=None
     )
-    COLLABORATION_SERVER_SECRET = values.Value(
+    COLLABORATION_SERVER_SECRET = SecretFileValue(
         None, environ_name="COLLABORATION_SERVER_SECRET", environ_prefix=None
     )
     COLLABORATION_WS_URL = values.Value(
@@ -477,7 +478,7 @@ class Base(Configuration):
     OIDC_RP_CLIENT_ID = values.Value(
         "impress", environ_name="OIDC_RP_CLIENT_ID", environ_prefix=None
     )
-    OIDC_RP_CLIENT_SECRET = values.Value(
+    OIDC_RP_CLIENT_SECRET = SecretFileValue(
         None,
         environ_name="OIDC_RP_CLIENT_SECRET",
         environ_prefix=None,
@@ -592,7 +593,7 @@ class Base(Configuration):
     AI_FEATURE_ENABLED = values.BooleanValue(
         default=False, environ_name="AI_FEATURE_ENABLED", environ_prefix=None
     )
-    AI_API_KEY = values.Value(None, environ_name="AI_API_KEY", environ_prefix=None)
+    AI_API_KEY = SecretFileValue(None, environ_name="AI_API_KEY", environ_prefix=None)
     AI_BASE_URL = values.Value(None, environ_name="AI_BASE_URL", environ_prefix=None)
     AI_MODEL = values.Value(None, environ_name="AI_MODEL", environ_prefix=None)
     AI_ALLOW_REACH_FROM = values.Value(
@@ -613,7 +614,7 @@ class Base(Configuration):
     }
 
     # Y provider microservice
-    Y_PROVIDER_API_KEY = values.Value(
+    Y_PROVIDER_API_KEY = SecretFileValue(
         environ_name="Y_PROVIDER_API_KEY",
         environ_prefix=None,
     )

diff --git a/src/backend/pyproject.toml b/src/backend/pyproject.toml
@@ -33,7 +33,7 @@ dependencies = [
     "django-cors-headers==4.7.0",
     "django-countries==7.6.1",
     "django-filter==25.1",
-    "django-lasuite[all]==0.0.8",
+    "django-lasuite[all]==0.0.9",
     "django-parler==2.3",
     "django-redis==5.4.0",
     "django-storages[s3]==1.14.6",

diff --git a/src/frontend/servers/y-provider/src/env.ts b/src/frontend/servers/y-provider/src/env.ts
@@ -1,11 +1,16 @@
+import { readFileSync } from 'fs';
+
 export const COLLABORATION_LOGGING =
   process.env.COLLABORATION_LOGGING || 'false';
 export const COLLABORATION_SERVER_ORIGIN =
   process.env.COLLABORATION_SERVER_ORIGIN || 'http://localhost:3000';
-export const COLLABORATION_SERVER_SECRET =
-  process.env.COLLABORATION_SERVER_SECRET || 'secret-api-key';
-export const Y_PROVIDER_API_KEY =
-  process.env.Y_PROVIDER_API_KEY || 'yprovider-api-key';
+export const COLLABORATION_SERVER_SECRET = process.env
+  .COLLABORATION_SERVER_SECRET_FILE
+  ? readFileSync(process.env.COLLABORATION_SERVER_SECRET_FILE, 'utf-8')
+  : process.env.COLLABORATION_SERVER_SECRET || 'secret-api-key';
+export const Y_PROVIDER_API_KEY = process.env.Y_PROVIDER_API_KEY_FILE
+  ? readFileSync(process.env.Y_PROVIDER_API_KEY_FILE, 'utf-8')
+  : process.env.Y_PROVIDER_API_KEY || 'yprovider-api-key';
 export const PORT = Number(process.env.PORT || 4444);
 export const SENTRY_DSN = process.env.SENTRY_DSN || '';
 export const COLLABORATION_BACKEND_BASE_URL =