refactor(config): enforce runtime auth secret policy

2026-03-30 23:40:00 +02:00
parent 7bcc831b5c
commit a7362f17bd
8 changed files with 181 additions and 8 deletions
@@ -6,6 +6,9 @@ import NextAuth, { type NextAuthConfig } from "next-auth";
 import Credentials from "next-auth/providers/credentials";
 import { verify } from "@node-rs/argon2";
 import { z } from "zod";
+import { assertSecureRuntimeEnv } from "./runtime-env";
+
+assertSecureRuntimeEnv();

 const LoginSchema = z.object({
  email: z.string().email(),
@@ -0,0 +1,57 @@
+import { describe, expect, it } from "vitest";
+import { assertSecureRuntimeEnv, getRuntimeEnvViolations } from "./runtime-env";
+
+describe("runtime env validation", () => {
+  it("allows non-production environments without auth runtime settings", () => {
+    expect(getRuntimeEnvViolations({ NODE_ENV: "development" })).toEqual([]);
+  });
+
+  it("accepts a valid production auth secret and https url", () => {
+    expect(
+      getRuntimeEnvViolations({
+        NODE_ENV: "production",
+        NEXTAUTH_SECRET: "super-long-random-secret",
+        NEXTAUTH_URL: "https://capakraken.example.com",
+      }),
+    ).toEqual([]);
+  });
+
+  it("rejects a missing production auth secret", () => {
+    expect(
+      getRuntimeEnvViolations({
+        NODE_ENV: "production",
+        NEXTAUTH_URL: "https://capakraken.example.com",
+      }),
+    ).toContain("AUTH_SECRET or NEXTAUTH_SECRET must be set in production.");
+  });
+
+  it("rejects the development placeholder auth secret in production", () => {
+    expect(
+      getRuntimeEnvViolations({
+        NODE_ENV: "production",
+        NEXTAUTH_SECRET: "dev-secret-change-in-production",
+        NEXTAUTH_URL: "https://capakraken.example.com",
+      }),
+    ).toContain("AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.");
+  });
+
+  it("rejects non-https auth urls in production", () => {
+    expect(
+      getRuntimeEnvViolations({
+        NODE_ENV: "production",
+        NEXTAUTH_SECRET: "super-long-random-secret",
+        NEXTAUTH_URL: "http://capakraken.example.com",
+      }),
+    ).toContain("AUTH_URL or NEXTAUTH_URL must use https in production.");
+  });
+
+  it("throws with a combined startup error when production env is invalid", () => {
+    expect(() =>
+      assertSecureRuntimeEnv({
+        NODE_ENV: "production",
+        NEXTAUTH_SECRET: "dev-secret-change-in-production",
+        NEXTAUTH_URL: "not-a-url",
+      }),
+    ).toThrow(/Invalid production runtime configuration/);
+  });
+});
@@ -0,0 +1,68 @@
+const DISALLOWED_PRODUCTION_SECRETS = new Set([
+  "dev-secret-change-in-production",
+  "changeme",
+  "change-me",
+  "default",
+  "secret",
+]);
+
+type RuntimeEnv = Partial<Record<string, string | undefined>>;
+
+function readEnvValue(env: RuntimeEnv, ...names: string[]): string | null {
+  for (const name of names) {
+    const value = env[name]?.trim();
+    if (value) {
+      return value;
+    }
+  }
+
+  return null;
+}
+
+function isProductionLike(env: RuntimeEnv): boolean {
+  return (env.NODE_ENV ?? "").trim() === "production";
+}
+
+function isLocalhost(hostname: string): boolean {
+  return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
+}
+
+export function getRuntimeEnvViolations(env: RuntimeEnv = process.env): string[] {
+  if (!isProductionLike(env)) {
+    return [];
+  }
+
+  const violations: string[] = [];
+  const authSecret = readEnvValue(env, "AUTH_SECRET", "NEXTAUTH_SECRET");
+  const authUrl = readEnvValue(env, "AUTH_URL", "NEXTAUTH_URL");
+
+  if (!authSecret) {
+    violations.push("AUTH_SECRET or NEXTAUTH_SECRET must be set in production.");
+  } else if (DISALLOWED_PRODUCTION_SECRETS.has(authSecret)) {
+    violations.push("AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.");
+  }
+
+  if (!authUrl) {
+    violations.push("AUTH_URL or NEXTAUTH_URL must be set in production.");
+  } else {
+    try {
+      const parsed = new URL(authUrl);
+      if (parsed.protocol !== "https:" && !isLocalhost(parsed.hostname)) {
+        violations.push("AUTH_URL or NEXTAUTH_URL must use https in production.");
+      }
+    } catch {
+      violations.push("AUTH_URL or NEXTAUTH_URL must be a valid URL in production.");
+    }
+  }
+
+  return violations;
+}
+
+export function assertSecureRuntimeEnv(env: RuntimeEnv = process.env): void {
+  const violations = getRuntimeEnvViolations(env);
+  if (violations.length === 0) {
+    return;
+  }
+
+  throw new Error(`Invalid production runtime configuration: ${violations.join(" ")}`);
+}