Generate Secret Command - add option to not showing the key if it's updated

[kbiits]

Summary

We realized in our production logs, the newly generated jwt secret is always displayed as clear text.
It's better if there's option to generate the secret without displaying it on the console

To reproduce, try to run php artisan jwt:secret
If the secret is updated, the key will be displayed on the console.
What we want to have is adding a new option to make the newly generated key not displayed to the console

[mfn]

Sounds sensible.

What's the exact command you used?

[kbiits]

What's the exact command you used?

php artisan jwt:secret

[kbiits]

When the command generates a new jwt secret, by default it will display the secret key to the console. So this new option just simply allows the users to not displaying the secret key

[mfn]

Thanks.

I agree, this doesn't fit into 2024 2025 anymore.

I saw your PR #275 but feel that's also confusing; after that PR we have:

• --show which only shows (performs an early exit)
• --no-show which…
  • …in case the .env exists, will not show the secret => 👍🏼
  • …in case it does not exist, still show the secret => 🤯

I agree there should be a change done but I prefer if we consider "security first" and not show it by default?

But because of the existing options, this would require a bit more thinking and changes.

Anyone else got thoughts on this?

[Messhias]

Thanks.

I agree, this doesn't fit into 2024 2025 anymore.

I saw your PR #275 but feel that's also confusing; after that PR we have:

• --show which only shows (performs an early exit)

• --no-show which…

  • …in case the .env exists, will not show the secret => 👍🏼
  • …in case it does not exist, still show the secret => 🤯

I agree there should be a change done but I prefer if we consider "security first" and not show it by default?

But because of the existing options, this would require a bit more thinking and changes.

Anyone else got thoughts on this?

Agreed, by default should be hidden.

@kbiits can you change the PR for us?

Thanks,

[kbiits]

Did you mean after the fixing, we should have

• --show option only return the key, same as what we currently have
• php artisan jwt:secret by default won't display the key, so there is no way for the users to generate a new key and displaying it to the console at the same time? I personally prefer this. This is the same way of how php artisan key:generate works

[kbiits]

Anyway, I have updated the PR, so the command php artisan jwt:secret never show the newly generated key anymore