From 1d1600d7319f9bda67d4c8ce13c65ee89fa2077a Mon Sep 17 00:00:00 2001
From: Nathan Flurry <developer@nathanflurry.com>
Date: Wed, 24 Sep 2025 23:07:12 -0700
Subject: [PATCH] chore(config): make admin_token a secret

---
 packages/common/config/src/config/auth.rs        | 12 +++---------
 packages/common/config/src/config/mod.rs         |  2 +-
 packages/core/guard/server/src/routing/runner.rs |  2 +-
 3 files changed, 5 insertions(+), 11 deletions(-)

diff --git a/packages/common/config/src/config/auth.rs b/packages/common/config/src/config/auth.rs
index 931f493cdd..6d13396360 100644
--- a/packages/common/config/src/config/auth.rs
+++ b/packages/common/config/src/config/auth.rs
@@ -1,16 +1,10 @@
 use schemars::JsonSchema;
 use serde::{Deserialize, Serialize};
 
+use crate::secret::Secret;
+
 #[derive(Debug, Clone, Serialize, Deserialize, JsonSchema)]
 #[serde(deny_unknown_fields)]
 pub struct Auth {
-	pub admin_token: String,
-}
-
-impl Default for Auth {
-	fn default() -> Self {
-		Auth {
-			admin_token: "admin".to_string(),
-		}
-	}
+	pub admin_token: Secret<String>,
 }
diff --git a/packages/common/config/src/config/mod.rs b/packages/common/config/src/config/mod.rs
index b1d8dd82f5..667e05f2da 100644
--- a/packages/common/config/src/config/mod.rs
+++ b/packages/common/config/src/config/mod.rs
@@ -100,7 +100,7 @@ pub struct Root {
 impl Default for Root {
 	fn default() -> Self {
 		Root {
-			auth: Some(Auth::default()),
+			auth: None,
 			guard: None,
 			api_public: None,
 			api_peer: None,
diff --git a/packages/core/guard/server/src/routing/runner.rs b/packages/core/guard/server/src/routing/runner.rs
index bb0f25aca1..a1a492cff9 100644
--- a/packages/core/guard/server/src/routing/runner.rs
+++ b/packages/core/guard/server/src/routing/runner.rs
@@ -57,7 +57,7 @@ pub async fn route_request(
 		};
 
 		// Validate token
-		if token != auth.admin_token {
+		if token != auth.admin_token.read() {
 			return Err(rivet_api_builder::ApiForbidden.build());
 		}
 	}