Hartmut/CapaKraken
1
0
Fork 0
Code Issues 10 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Security [HIGH]: E2E_TEST_MODE bypass must fail-fast in production #42

New Issue
Closed
opened 2026-04-16 22:05:09 +02:00 by Hartmut · 1 comment
Hartmut commented 2026-04-16 22:05:09 +02:00
Owner
Copy Link
Copy Source

Problem

E2E_TEST_MODE=true disables rate-limit and session enforcement. Guard in assertSecureRuntimeEnv() throws on load, but in packages/api/src/trpc.ts:141-144 the prod+E2E check only console.warns. A single removed import would silently re-enable bypass in production.

Evidence

  • packages/api/src/trpc.ts:141-144 — console.warn() instead of throw on prod+E2E_TEST_MODE
  • apps/web/src/server/auth.ts:50-56 — E2E_TEST_MODE bypasses rate-limit

Impact

Defense-in-depth degraded. A future refactor that drops the assertSecureRuntimeEnv() import silently disables auth rate-limits in production.

Proposed Fix

In trpc.ts replace console.warn with throw new Error(...) or process.exit(1). Centralize all E2E-bypass checks in runtime-env.ts so they cannot be accidentally split.

Acceptance Criteria

  • Prod build with E2E_TEST_MODE=true refuses to start
  • Unit test validates fail-fast behavior
  • All E2E flags checked in single runtime-env.ts function

Parent Epic: #1
Source: Full-Codebase Security Audit 2026-04-16 (A-6)

## Problem `E2E_TEST_MODE=true` disables rate-limit and session enforcement. Guard in `assertSecureRuntimeEnv()` throws on load, but in `packages/api/src/trpc.ts:141-144` the prod+E2E check only `console.warn`s. A single removed import would silently re-enable bypass in production. ## Evidence - `packages/api/src/trpc.ts:141-144 — console.warn() instead of throw on prod+E2E_TEST_MODE` - `apps/web/src/server/auth.ts:50-56 — E2E_TEST_MODE bypasses rate-limit` ## Impact Defense-in-depth degraded. A future refactor that drops the `assertSecureRuntimeEnv()` import silently disables auth rate-limits in production. ## Proposed Fix In trpc.ts replace console.warn with `throw new Error(...)` or `process.exit(1)`. Centralize all E2E-bypass checks in `runtime-env.ts` so they cannot be accidentally split. ## Acceptance Criteria - [ ] Prod build with E2E_TEST_MODE=true refuses to start - [ ] Unit test validates fail-fast behavior - [ ] All E2E flags checked in single `runtime-env.ts` function --- Parent Epic: #1 Source: Full-Codebase Security Audit 2026-04-16 (A-6)
Hartmut added the security label 2026-04-16 22:05:09 +02:00
Hartmut commented 2026-04-17 09:29:03 +02:00
Author
Owner
Copy Link
Copy Source

Resolved in commit 93a7fba (security: fail-fast dev-bypass flag in production). The auth bootstrap throws at startup if E2E_TEST_MODE=1 is set while NODE_ENV=production.

Resolved in commit 93a7fba (`security: fail-fast dev-bypass flag in production`). The auth bootstrap throws at startup if `E2E_TEST_MODE=1` is set while `NODE_ENV=production`.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
cdp
CDP (Client Data Protection) compliance
 epic
Parent/umbrella ticket
 not-applicable
Control does not apply to CapaKraken scope
 security
Security / compliance work
No Label security
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Hartmut
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Hartmut/CapaKraken#42
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?