Hartmut/Nexus
1
0
Fork 0
Code Issues 11 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor(config): enforce runtime auth secret policy

Browse Source
This commit is contained in:
Hartmut Nörenberg
2026-03-30 23:40:00 +02:00
parent 7bcc831b5c
commit a7362f17bd
8 changed files with 181 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files
apps/web/src/server/runtime-env.test.ts
+57
View File
@@ -0,0 +1,57 @@
import { describe, expect, it } from "vitest";
import { assertSecureRuntimeEnv, getRuntimeEnvViolations } from "./runtime-env";
describe("runtime env validation", () => {
it("allows non-production environments without auth runtime settings", () => {
expect(getRuntimeEnvViolations({ NODE_ENV: "development" })).toEqual([]);
});
it("accepts a valid production auth secret and https url", () => {
expect(
getRuntimeEnvViolations({
NODE_ENV: "production",
NEXTAUTH_SECRET: "super-long-random-secret",
NEXTAUTH_URL: "https://capakraken.example.com",
}),
).toEqual([]);
});
it("rejects a missing production auth secret", () => {
expect(
getRuntimeEnvViolations({
NODE_ENV: "production",
NEXTAUTH_URL: "https://capakraken.example.com",
}),
).toContain("AUTH_SECRET or NEXTAUTH_SECRET must be set in production.");
});
it("rejects the development placeholder auth secret in production", () => {
expect(
getRuntimeEnvViolations({
NODE_ENV: "production",
NEXTAUTH_SECRET: "dev-secret-change-in-production",
NEXTAUTH_URL: "https://capakraken.example.com",
}),
).toContain("AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.");
});
it("rejects non-https auth urls in production", () => {
expect(
getRuntimeEnvViolations({
NODE_ENV: "production",
NEXTAUTH_SECRET: "super-long-random-secret",
NEXTAUTH_URL: "http://capakraken.example.com",
}),
).toContain("AUTH_URL or NEXTAUTH_URL must use https in production.");
});
it("throws with a combined startup error when production env is invalid", () => {
expect(() =>
assertSecureRuntimeEnv({
NODE_ENV: "production",
NEXTAUTH_SECRET: "dev-secret-change-in-production",
NEXTAUTH_URL: "not-a-url",
}),
).toThrow(/Invalid production runtime configuration/);
});
});