fix: next-config env variables are not unique (#3003)

.env.example

@@ -11,33 +11,26 @@ WEBAPP_URL=http://localhost:3000
 # Required for next-auth. Should be the same as WEBAPP_URL
 NEXTAUTH_URL=http://localhost:3000
 
-# Set this if you want to have a shorter link for surveys
-SHORT_URL_BASE=
-
 # Encryption keys
 # Please set both for now, we will change this in the future
 
 # You can use: `openssl rand -hex 32` to generate one
 ENCRYPTION_KEY=
 
+# @see: https://next-auth.js.org/configuration/options#nextauth_secret
+# You can use: `openssl rand -hex 32` to generate a secure one
+NEXTAUTH_SECRET=
+
+# API Secret for running cron jobs. (mandatory)
+# You can use: `openssl rand -hex 32` to generate a secure one
+CRON_SECRET=
+
 ##############
 #  DATABASE  #
 ##############
 
 DATABASE_URL='postgresql://postgres:postgres@localhost:5432/formbricks?schema=public'
 
-###############
-#  NEXT AUTH  #
-###############
-
-# @see: https://next-auth.js.org/configuration/options#nextauth_secret
-# You can use: `openssl rand -hex 32` to generate a secure one
-NEXTAUTH_SECRET=RANDOM_STRING
-
-# API Secret for running cron jobs. (mandatory)
-# You can use: `openssl rand -hex 32` to generate a secure one
-CRON_SECRET=RANDOM_STRING
-
 ################
 #  MAIL SETUP  #
 ################

.github/actions/cache-build-web/action.yml

@@ -53,10 +53,12 @@ runs:
       run: cp .env.example .env
       shell: bash
 
-    - name: Fill ENCRYPTION_KE, ENTERPRISE_LICENSE_KEY and E2E_TESTING in .env
+    - name: Fill ENCRYPTION_KEY, ENTERPRISE_LICENSE_KEY and E2E_TESTING in .env
       run: |
         RANDOM_KEY=$(openssl rand -hex 32)
         sed -i "s/ENCRYPTION_KEY=.*/ENCRYPTION_KEY=${RANDOM_KEY}/" .env
+        sed -i "s/CRON_SECRET=.*/CRON_SECRET=${RANDOM_KEY}/" .env
+        sed -i "s/NEXTAUTH_SECRET=.*/NEXTAUTH_SECRET=${RANDOM_KEY}/" .env
         sed -i "s/ENTERPRISE_LICENSE_KEY=.*/ENTERPRISE_LICENSE_KEY=${RANDOM_KEY}/" .env
         echo "E2E_TESTING=${{ inputs.e2e_testing_mode }}" >> .env
       shell: bash

.github/workflows/e2e.yml

@@ -2,6 +2,8 @@ name: E2E Tests
 on:
   workflow_call:
   workflow_dispatch:
+env:
+  TELEMETRY_DISABLED: 1
 jobs:
   build:
     name: Run E2E Tests

.github/workflows/lint.yml

@@ -25,10 +25,12 @@ jobs:
       - name: create .env
         run: cp .env.example .env
 
-      - name: Generate Random ENCRYPTION_KEY and fill in .env
+      - name: Generate Random ENCRYPTION_KEY, CRON_SECRET & NEXTAUTH_SECRET and fill in .env
         run: |
-          ENCRYPTION_KEY=$(openssl rand -hex 32)
-          sed -i "s/ENCRYPTION_KEY=.*/ENCRYPTION_KEY=${ENCRYPTION_KEY}/" .env
+          RANDOM_KEY=$(openssl rand -hex 32)
+          sed -i "s/ENCRYPTION_KEY=.*/ENCRYPTION_KEY=${RANDOM_KEY}/" .env
+          sed -i "s/CRON_SECRET=.*/CRON_SECRET=${RANDOM_KEY}/" .env
+          sed -i "s/NEXTAUTH_SECRET=.*/NEXTAUTH_SECRET=${RANDOM_KEY}/" .env
 
       - name: Lint
         run: pnpm lint

.github/workflows/test.yml

@@ -25,10 +25,12 @@ jobs:
       - name: create .env
         run: cp .env.example .env
 
-      - name: Generate Random ENCRYPTION_KEY and fill in .env
+      - name: Generate Random ENCRYPTION_KEY, CRON_SECRET & NEXTAUTH_SECRET and fill in .env
         run: |
-          ENCRYPTION_KEY=$(openssl rand -hex 32)
-          sed -i "s/ENCRYPTION_KEY=.*/ENCRYPTION_KEY=${ENCRYPTION_KEY}/" .env
+          RANDOM_KEY=$(openssl rand -hex 32)
+          sed -i "s/ENCRYPTION_KEY=.*/ENCRYPTION_KEY=${RANDOM_KEY}/" .env
+          sed -i "s/CRON_SECRET=.*/CRON_SECRET=${RANDOM_KEY}/" .env
+          sed -i "s/NEXTAUTH_SECRET=.*/NEXTAUTH_SECRET=${RANDOM_KEY}/" .env
 
       - name: Test
         run: pnpm test

apps/docs/app/self-hosting/configuration/page.mdx

@@ -61,8 +61,6 @@ These variables are present inside your machine’s docker-compose file. Restart
 | STRIPE_SECRET_KEY            | Secret key for Stripe integration.                                                                             | optional                                                |                           |
 | STRIPE_WEBHOOK_SECRET        | Webhook secret for Stripe integration.                                                                         | optional                                                |                           |
 | TELEMETRY_DISABLED           | Disables telemetry if set to 1.                                                                                | optional                                                |                           |
-| INSTANCE_ID                  | Instance ID for Formbricks Cloud to be sent to Telemetry.                                                      | optional                                                |                           |
-| INTERNAL_SECRET              | Internal Secret (Currently we overwrite the value with a random value).                                        | optional                                                |                           |
 | DEFAULT_BRAND_COLOR          | Default brand color for your app (Can be overwritten from the UI as well).                                     | optional                                                | #64748b                   |
 | DEFAULT_ORGANIZATION_ID      | Automatically assign new users to a specific organization when joining                                         | optional                                                |                           |
 | DEFAULT_ORGANIZATION_ROLE    | Role of the user in the default organization.                                                                  | optional                                                | admin                     |

apps/web/app/api/pipeline/route.ts

@@ -3,7 +3,7 @@ import { transformErrorToDetails } from "@/app/lib/api/validator";
 import { headers } from "next/headers";
 import { prisma } from "@formbricks/database";
 import { sendResponseFinishedEmail } from "@formbricks/email";
-import { INTERNAL_SECRET } from "@formbricks/lib/constants";
+import { CRON_SECRET } from "@formbricks/lib/constants";
 import { getIntegrations } from "@formbricks/lib/integration/service";
 import { getProductByEnvironmentId } from "@formbricks/lib/product/service";
 import { getResponseCountBySurveyId } from "@formbricks/lib/response/service";
@@ -15,7 +15,7 @@ import { handleIntegrations } from "./lib/handleIntegrations";
 
 export const POST = async (request: Request) => {
   // check authentication with x-api-key header and CRON_SECRET env variable
-  if (headers().get("x-api-key") !== INTERNAL_SECRET) {
+  if (headers().get("x-api-key") !== CRON_SECRET) {
     return responses.notAuthenticatedResponse();
   }
   const jsonInput = await request.json();

apps/web/app/lib/pipelines.ts

@@ -1,4 +1,4 @@
-import { INTERNAL_SECRET, WEBAPP_URL } from "@formbricks/lib/constants";
+import { CRON_SECRET, WEBAPP_URL } from "@formbricks/lib/constants";
 import { TPipelineInput } from "@formbricks/types/pipelines";
 
 export const sendToPipeline = async ({ event, surveyId, environmentId, response }: TPipelineInput) => {
@@ -6,7 +6,7 @@ export const sendToPipeline = async ({ event, surveyId, environmentId, response
     method: "POST",
     headers: {
       "Content-Type": "application/json",
-      "x-api-key": INTERNAL_SECRET,
+      "x-api-key": CRON_SECRET,
     },
     body: JSON.stringify({
       environmentId: environmentId,

apps/web/next.config.mjs

@@ -163,8 +163,6 @@ const nextConfig = {
     ];
   },
   env: {
-    INSTANCE_ID: createId(),
-    INTERNAL_SECRET: createId(),
     NEXTAUTH_URL: process.env.WEBAPP_URL,
   },
 };

packages/lib/constants.ts

@@ -14,7 +14,6 @@ export const FORMBRICKS_ENCRYPTION_KEY = env.FORMBRICKS_ENCRYPTION_KEY || undefi
 export const ENCRYPTION_KEY = env.ENCRYPTION_KEY;
 
 // Other
-export const INTERNAL_SECRET = process.env.INTERNAL_SECRET || "";
 export const CRON_SECRET = env.CRON_SECRET;
 export const DEFAULT_BRAND_COLOR = "#64748b";
 

packages/lib/env.ts

@@ -11,7 +11,7 @@ export const env = createEnv({
     AZUREAD_CLIENT_ID: z.string().optional(),
     AZUREAD_CLIENT_SECRET: z.string().optional(),
     AZUREAD_TENANT_ID: z.string().optional(),
-    CRON_SECRET: z.string().min(1),
+    CRON_SECRET: z.string().min(10),
     CUSTOMER_IO_API_KEY: z.string().optional(),
     CUSTOMER_IO_SITE_ID: z.string().optional(),
     DATABASE_URL: z.string().url(),

packages/lib/telemetry.ts

@@ -4,8 +4,17 @@
    disable telemetry, set the environment variable TELEMETRY_DISABLED=1 */
 import { env } from "./env";
 
+const crypto = require("crypto");
+
+// We are using the hashed CRON_SECRET as the distinct identifier for the instance for telemetry.
+// The hash cannot be traced back to the original value or the instance itself.
+// This is to ensure that the telemetry data is anonymous but still unique to the instance.
+const getTelemetryId = (): string => {
+  return crypto.createHash("sha256").update(env.CRON_SECRET).digest("hex");
+};
+
 export const captureTelemetry = async (eventName: string, properties = {}) => {
-  if (env.TELEMETRY_DISABLED !== "1" && process.env.NODE_ENV === "production" && process.env.INSTANCE_ID) {
+  if (env.TELEMETRY_DISABLED !== "1" && process.env.NODE_ENV === "production") {
     try {
       await fetch("https://eu.posthog.com/capture/", {
         method: "POST",
@@ -14,7 +23,7 @@ export const captureTelemetry = async (eventName: string, properties = {}) => {
           api_key: "phc_6XBUthOJLVe0Ij9EYkwEKpV96fUbA1aXxnHDq5ryASk",
           event: eventName,
           properties: {
-            distinct_id: process.env.INSTANCE_ID,
+            distinct_id: getTelemetryId(),
             ...properties,
           },
           timestamp: new Date().toISOString(),

turbo.json

@@ -83,8 +83,6 @@
         "HTTP_PROXY",
         "HTTPS_PROXY",
         "IMPRINT_URL",
-        "INSTANCE_ID",
-        "INTERNAL_SECRET",
         "INVITE_DISABLED",
         "IS_FORMBRICKS_CLOUD",
         "MAIL_FROM",