apiKey key ID and secret is required even though they're there in express-stormpath

Question

I'm trying to use express-stormpath on my Heroku app. I'm following the docs here, and my code is super simple:

var express = require('express');
var app = express();
var stormpath = require('express-stormpath');

app.use(stormpath.init(app, {
  website: true
}));

app.on('stormpath.ready', function() {
  app.listen(3000);
});

I've already looked at this question and followed the Heroku devcenter docs. The docs say that for an Heroku app, it's not necessary to pass in options, but I've still tried passing in options and nothing works. For example, I've tried this:

app.use(stormpath.init(app, {
   // client: {
   //   file: './xxx.properties'
   // },
   client: {
     apiKey: {
       file: './xxx.properties',
       id: process.env.STORMPATH_API_KEY_ID || 'xxx',
       secret: process.env.STORMPATH_API_KEY_SECRET || 'xxx'    
     }
   },
   application: {
     href: 'https://api.stormpath.com/v1/applications/blah'
   },
}));

To try and see what's going on, I added a console.log line to the stormpath-config strategy valdiator to print the client object, and it gives me this:

{ file: './apiKey-xxx.properties',
  id: 'xxx',
  secret: 'xxx' }
{ file: null, id: null, secret: null }

Error: API key ID and secret is required.

Why is it getting called twice, and the second time around, why does the client object have null values for the file, id and secret?

When I run heroku config | grep STORMPATH, I get

STORMPATH_API_KEY_ID:     xxxx
STORMPATH_API_KEY_SECRET: xxxx
STORMPATH_URL:    https://api.stormpath.com/v1/applications/[myappurl]

Answer 1

I'm the original author of the express-stormpath library, and also wrote the Heroku documentation for Stormpath.

This is 100% my fault, and is a documentation / configuration bug on Stormpath's side of things.

Back in the day, all of our libraries looked for several environment variables by default:

• STORMPATH_URL (your Application URL)
• STORMPATH_API_KEY_ID
• STORMPATH_API_KEY_SECRET

However, a while ago, we started upgrading our libraries, and realized that we wanted to go with a more standard approach across all of our supported languages / frameworks / etc. In order to make things more explicit, we essentially renamed the variables we look for by default, to:

• STORMPATH_APPLICATION_HREF
• STORMPATH_CLIENT_APIKEY_ID
• STORMPATH_CLIENT_APIKEY_SECRET

Unfortunately, we did not yet update our Heroku integration or documentation to reflect these changes, which is why you just ran into this nasty issue.

I just submitted a ticket to our Engineering team to fix the names of the variables that our Heroku addon provisions by default to include our new ones, and I'm going to be updating our Heroku documentation later this afternoon to fix this for anyone else in the future.

I'm sincerely sorry about all the confusion / frustration. Sometimes these things slip through the cracks, and experiences like this make me realize we need better testing in place to catch this stuff earlier.

I'll be working on some changes internally to make sure we have a better process around rolling out updates like this one.

If you want a free Stormpath t-shirt, hit me up and I'll get one shipped out to you as a small way to say 'thanks' for putting up with the annoyance: randall@stormpath.com

Answer 2

After endless hours, I managed to finally get it working by removing the add-on entirely and re-installing it via the Heroku CLI and then exporting variables STORMPATH_CLIENT_APIKEY_ID and STORMPATH_CLIENT_APIKEY_SECRET. For some reason, installing it via the Heroku Dashboard causes express-stormpath to not find the apiKey and secret fields (even if you export variables).