fix: validate JWT_SECRET env var before use in IP hashing

Both check-duplicate-login.js and track-session.js use
process.env.JWT_SECRET directly in hashIP() without validation.
If JWT_SECRET is unset, crypto.createHash silently hashes with
the literal string "undefined", producing deterministic but
incorrect hashes that degrade IP-based security checks.

Extract JWT_SECRET to a module-level constant with a validation
guard, consistent with all other API files in the project
(login.js, verify.js, reset-password.js, etc.).

Author: ashsolei

api/check-duplicate-login.js

@@ -1,6 +1,11 @@
 // Check for duplicate/multiple logins from different IPs
 import crypto from 'crypto';
 
+const JWT_SECRET = process.env.JWT_SECRET;
+if (!JWT_SECRET) {
+  console.error('Missing required environment variable: JWT_SECRET');
+}
+
 // Simple in-memory store for active sessions (in production, use Redis or Firebase)
 const activeSessions = new Map();
 
@@ -15,7 +20,7 @@ setInterval(() => {
 }, 5 * 60 * 1000);
 
 function hashIP(ip) {
-  return crypto.createHash('sha256').update(ip + process.env.JWT_SECRET).digest('hex').substring(0, 16);
+  return crypto.createHash('sha256').update(ip + JWT_SECRET).digest('hex').substring(0, 16);
 }
 
 export default async function handler(req, res) {

api/track-session.js

@@ -5,6 +5,11 @@ import geoip from 'geoip-lite';
 import UAParser from 'ua-parser-js';
 import crypto from 'crypto';
 
+const JWT_SECRET = process.env.JWT_SECRET;
+if (!JWT_SECRET) {
+  console.error('Missing required environment variable: JWT_SECRET');
+}
+
 // VPN/Proxy detection based on common patterns
 const VPN_INDICATORS = {
   // Known VPN/Proxy ASN ranges
@@ -38,7 +43,7 @@ const VPN_INDICATORS = {
 
 // Hash IP for privacy
 function hashIP(ip) {
-  return crypto.createHash('sha256').update(ip + process.env.JWT_SECRET).digest('hex').substring(0, 16);
+  return crypto.createHash('sha256').update(ip + JWT_SECRET).digest('hex').substring(0, 16);
 }
 
 // Detect if IP is likely a VPN/Proxy