First of all: Don't panic. The leaked encryption key allows attackers to read the payload of pending jobs, but only if they also gained access to your Quirrel API deployment (managed or self-hosted).
To replace your leaked secret with a new one, do the following:
- Set the
QUIRREL_OLD_SECRETSenvironment variable to
["<your-leaked-secret>"]. This will allow old jobs to be decrypted.
QUIRREL_ENCRYPTION_SECRETto your new secret.
- Once all jobs that were encrypted with the old secret executed, remove
If you're using the managed Quirrel deployment, feel free to reach out to get further assistance.
You can use something like
Telemetry allows us to accurately gauge Quirrels feature usage and pain points across all users. This data will let us better tailor Quirrel to users, ensuring its best-in-class developer experience.
Quirrel collects completely anonymous telemetry data about general usage, it also sends error reports to Sentry. Participation in this anonymous program is optional, and you may opt-out if you'd not like to share any information. To opt-out, set the DISABLE_TELEMETRY environment variable to 1.
Quirrel keeps track of how many API calls were made using a specific token. This is primarily used for the hosted version's billing.
There's two main things that count as an "API Call":
- Your Application calling Quirrel, e.g. for enqueueing a job or fetching pending jobs.
- Quirrel calling your application (during execution)
Let's do a quick example:
You enqueue two jobs that each repeat thrice. After their second repetition, you call
.delete() on them.
How many API Calls would that use?
|2x2||execution (two jobs, two executions)|