Skip to content

Commit fe1e398

Browse files
committed
fix(wrangler): raise secrets-store value cap to 64 KiB
The API limit was 1024 characters when this PR was opened, but the secrets-store team has since raised it to 64 KiB (65,536 bytes). Validate by UTF-8 byte length to match the API doc exactly -- character-length would under-count multi-byte unicode and let oversize values slip through.
1 parent f286976 commit fe1e398

3 files changed

Lines changed: 8 additions & 7 deletions

File tree

.changeset/fix-secrets-store-value-length-validation.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,4 +2,4 @@
22
"wrangler": patch
33
---
44

5-
`wrangler secrets-store secret create` and `secret update` now reject secret values longer than 1024 characters with a clear error before calling the Cloudflare API. Previously the CLI accepted them, the secret appeared in `secret list`, and the failure surfaced later (and confusingly) at worker deploy time as a "secret doesn't exist" error against the binding. The 1024-character cap is enforced by the API and dashboard; the CLI now enforces it at the same boundary. Fixes [#14018](https://github.com/cloudflare/workers-sdk/issues/14018).
5+
`wrangler secrets-store secret create` and `secret update` now reject secret values larger than 64 KiB (65,536 bytes) with a clear error before calling the Cloudflare API. Previously the CLI accepted them, the secret appeared in `secret list`, and the failure surfaced later (and confusingly) at worker deploy time as a "secret doesn't exist" error against the binding. 64 KiB is the cap enforced by the API; the CLI now enforces it at the same boundary. Fixes [#14018](https://github.com/cloudflare/workers-sdk/issues/14018).

packages/wrangler/src/__tests__/secrets-store.test.ts

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -326,10 +326,10 @@ describe("secrets-store secret commands", () => {
326326
`);
327327
});
328328

329-
it("errors in creating a secret when value is longer than 1024 characters", async ({
329+
it("errors in creating a secret when value is larger than 64 KiB", async ({
330330
expect,
331331
}) => {
332-
const longValue = "a".repeat(1025);
332+
const longValue = "a".repeat(65537);
333333
let err: undefined | Error;
334334
try {
335335
await runWrangler(
@@ -345,7 +345,7 @@ describe("secrets-store secret commands", () => {
345345
err = e as Error;
346346
}
347347
expect(err?.message).toMatchInlineSnapshot(
348-
`"Secret value cannot exceed 1024 characters (got 1025). The Cloudflare API rejects longer values, and a binding to such a secret will fail at deploy time."`
348+
`"Secret value cannot exceed 65536 bytes (got 65537). The Cloudflare API rejects longer values, and a binding to such a secret will fail at deploy time."`
349349
);
350350
});
351351
});

packages/wrangler/src/secrets-store/commands.ts

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -775,12 +775,13 @@ export const validateSecretName = (name: string) => {
775775
}
776776
};
777777

778-
export const MAX_SECRET_VALUE_LENGTH = 1024;
778+
export const MAX_SECRET_VALUE_BYTES = 64 * 1024;
779779

780780
export const validateSecretValue = (value: string) => {
781-
if (value.length > MAX_SECRET_VALUE_LENGTH) {
781+
const byteLength = Buffer.byteLength(value, "utf8");
782+
if (byteLength > MAX_SECRET_VALUE_BYTES) {
782783
throw new UserError(
783-
`Secret value cannot exceed ${MAX_SECRET_VALUE_LENGTH} characters (got ${value.length}). The Cloudflare API rejects longer values, and a binding to such a secret will fail at deploy time.`,
784+
`Secret value cannot exceed ${MAX_SECRET_VALUE_BYTES} bytes (got ${byteLength}). The Cloudflare API rejects longer values, and a binding to such a secret will fail at deploy time.`,
784785
{ telemetryMessage: "secrets store secret value too long" }
785786
);
786787
}

0 commit comments

Comments
 (0)