fix: enforce strong secrets for AUTH and JWT in configuration (#471)

alanrsoares · web-flow · commit 45fceef27efe · 2025-11-18T07:54:37.000+13:00
* fix: enforce strong secrets for AUTH and JWT in configuration

Updated the configuration logic to throw errors if the AUTH and JWT environment variables are not set or are using default values. This ensures that strong secrets are provided for secure application operation.

* fix: add missing JWT to api-main and AUTH to reader-main docker-compose
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -37,6 +37,7 @@ services:
     environment:
       PG_URI: 'postgresql://default:password@postgres:5432/postgres'
       AUTH: dev
+      JWT: dev-jwt-secret
     ports:
       - 3000:3000
     healthcheck:
diff --git a/packages/api-main/src/config.ts b/packages/api-main/src/config.ts
@@ -1,4 +1,3 @@
-import crypto from 'node:crypto';
 import process from 'node:process';
 
 import dotenv from 'dotenv';
@@ -33,8 +32,8 @@ export function useConfig(): Config {
   }
 
   if (!process.env.JWT) {
-    console.log(`JWT was not set, defaulting to a randomized byte hex string.`);
-    process.env.JWT = crypto.randomBytes(128).toString('hex');
+    console.error(`Failed to specify JWT, no JWT secret provided`);
+    throw new Error(`JWT must be set to a strong secret`);
   }
 
   if (typeof process.env.JWT_STRICTNESS === 'undefined') {
@@ -50,8 +49,8 @@ export function useConfig(): Config {
   config = {
     PORT: process.env.PORT ? Number.parseInt(process.env.PORT) : 3000,
     PG_URI: process.env.PG_URI,
-    AUTH: process.env.AUTH ?? 'default',
-    JWT: process.env.JWT ?? 'default-secret-key',
+    AUTH: process.env.AUTH as string,
+    JWT: process.env.JWT as string,
     JWT_STRICTNESS: process.env.JWT_STRICTNESS as JWT_STRICTNESS,
     DISCORD_WEBHOOK_URL: process.env.DISCORD_WEBHOOK_URL,
   };
diff --git a/packages/reader-main/docker-compose.yml b/packages/reader-main/docker-compose.yml
@@ -11,5 +11,6 @@ services:
       BATCH_SIZE: 50
       MEMO_PREFIX: dither.
       RECEIVER: atone1uq6zjslvsa29cy6uu75y8txnl52mw06j6fzlep
+      AUTH: dev
       # LOG: process.env.LOG === 'true' ? true : false,
     command: [pnpm, start]
diff --git a/packages/reader-main/src/config/index.ts b/packages/reader-main/src/config/index.ts
@@ -13,8 +13,9 @@ export function useConfig(): typeof config {
     return config;
   }
 
-  if (typeof process.env.AUTH === 'undefined') {
-    console.warn(`AUTH env variable is set to default, ensure you provide an authorization key for reader communication`);
+  if (!process.env.AUTH || process.env.AUTH === 'default') {
+    console.error(`Failed to specify AUTH, no authorization secret provided`);
+    throw new Error(`AUTH must be set to a strong secret`);
   }
 
   config = {
@@ -25,7 +26,7 @@ export function useConfig(): typeof config {
     RECEIVER: process.env.RECEIVER,
     SENDER: process.env.SENDER,
     LOG: process.env.LOG === 'true',
-    AUTH: process.env.AUTH ?? 'default',
+    AUTH: process.env.AUTH,
 
     ECLESIA_GRAPHQL_ENDPOINT: process.env.ECLESIA_GRAPHQL_ENDPOINT,
     ECLESIA_GRAPHQL_SECRET: process.env.ECLESIA_GRAPHQL_SECRET,
