refactor(config): enforce runtime auth secret policy
This commit is contained in:
@@ -5,6 +5,49 @@ import process from "node:process";
|
||||
const rootDir = process.cwd();
|
||||
|
||||
const rules = [
|
||||
{
|
||||
file: "apps/web/src/server/auth.ts",
|
||||
required: [
|
||||
{
|
||||
pattern: /\bassertSecureRuntimeEnv\s*\(/,
|
||||
message: "Auth startup must validate production runtime env before serving requests",
|
||||
},
|
||||
],
|
||||
forbidden: [],
|
||||
},
|
||||
{
|
||||
file: "apps/web/src/server/runtime-env.ts",
|
||||
required: [
|
||||
{
|
||||
pattern: /\bDISALLOWED_PRODUCTION_SECRETS\b/,
|
||||
message: "runtime env validation must keep a denylist for known development secrets",
|
||||
},
|
||||
{
|
||||
pattern: /\bAUTH_SECRET\b/,
|
||||
message: "runtime env validation must check the Auth.js secret environment variables",
|
||||
},
|
||||
{
|
||||
pattern: /\bNEXTAUTH_URL\b/,
|
||||
message: "runtime env validation must check the public auth url environment variables",
|
||||
},
|
||||
],
|
||||
forbidden: [],
|
||||
},
|
||||
{
|
||||
file: "docker-compose.yml",
|
||||
required: [
|
||||
{
|
||||
pattern: /NEXTAUTH_SECRET:\s+\$\{NEXTAUTH_SECRET:\?set NEXTAUTH_SECRET\}/,
|
||||
message: "local compose must source NEXTAUTH_SECRET from environment instead of hardcoding it",
|
||||
},
|
||||
],
|
||||
forbidden: [
|
||||
{
|
||||
pattern: /NEXTAUTH_SECRET:\s+dev-secret-change-in-production/,
|
||||
message: "local compose must not hardcode the development Auth.js secret",
|
||||
},
|
||||
],
|
||||
},
|
||||
{
|
||||
file: "packages/api/src/sse/event-bus.ts",
|
||||
required: [],
|
||||
|
||||
Reference in New Issue
Block a user