Hartmut
f8550110eb
A04-1 (High): docker-compose E2E_TEST_MODE now defaults to "false"
via ${E2E_TEST_MODE:-false} — prevents accidental security bypass in
non-test deployments. runtime-env.ts throws at startup if
E2E_TEST_MODE=true in production.
A05-3 (Medium): all 4 cron routes now fail-closed when CRON_SECRET
is unset. Extracted shared verifyCronSecret() helper to
apps/web/src/lib/cron-auth.ts.
A02-1 (Low): verifyCronSecret uses crypto.timingSafeEqual for
constant-time Bearer token comparison.
A10-1 (Medium): Slack webhook routing uses strict hostname check
(parsedUrl.hostname === "hooks.slack.com") instead of .includes()
to prevent bypass via subdomain confusion.
Tickets created for remaining findings: #28 (TOTP rate limit),
#29 (allocations role check), #30 (API keys in DB), #31 (pgAdmin
creds), #32 (MFA enforcement), #33 (auth anomaly alerting),
#34 (comment server-side sanitization).
Co-Authored-By: claude-flow <ruv@ruv.net>
73 lines
2.1 KiB
TypeScript
73 lines
2.1 KiB
TypeScript
const DISALLOWED_PRODUCTION_SECRETS = new Set([
|
|
"dev-secret-change-in-production",
|
|
"changeme",
|
|
"change-me",
|
|
"default",
|
|
"secret",
|
|
]);
|
|
|
|
type RuntimeEnv = Partial<Record<string, string | undefined>>;
|
|
|
|
function readEnvValue(env: RuntimeEnv, ...names: string[]): string | null {
|
|
for (const name of names) {
|
|
const value = env[name]?.trim();
|
|
if (value) {
|
|
return value;
|
|
}
|
|
}
|
|
|
|
return null;
|
|
}
|
|
|
|
function isProductionLike(env: RuntimeEnv): boolean {
|
|
return (env.NODE_ENV ?? "").trim() === "production";
|
|
}
|
|
|
|
function isLocalhost(hostname: string): boolean {
|
|
return hostname === "localhost" || hostname === "127.0.0.1" || hostname === "::1";
|
|
}
|
|
|
|
export function getRuntimeEnvViolations(env: RuntimeEnv = process.env): string[] {
|
|
if (!isProductionLike(env)) {
|
|
return [];
|
|
}
|
|
|
|
const violations: string[] = [];
|
|
const authSecret = readEnvValue(env, "AUTH_SECRET", "NEXTAUTH_SECRET");
|
|
const authUrl = readEnvValue(env, "AUTH_URL", "NEXTAUTH_URL");
|
|
|
|
if (!authSecret) {
|
|
violations.push("AUTH_SECRET or NEXTAUTH_SECRET must be set in production.");
|
|
} else if (DISALLOWED_PRODUCTION_SECRETS.has(authSecret)) {
|
|
violations.push("AUTH_SECRET or NEXTAUTH_SECRET must not use a known development placeholder in production.");
|
|
}
|
|
|
|
if ((env.E2E_TEST_MODE ?? "").trim() === "true") {
|
|
violations.push("E2E_TEST_MODE must not be 'true' in production — it disables all rate limiting and session controls.");
|
|
}
|
|
|
|
if (!authUrl) {
|
|
violations.push("AUTH_URL or NEXTAUTH_URL must be set in production.");
|
|
} else {
|
|
try {
|
|
const parsed = new URL(authUrl);
|
|
if (parsed.protocol !== "https:" && !isLocalhost(parsed.hostname)) {
|
|
violations.push("AUTH_URL or NEXTAUTH_URL must use https in production.");
|
|
}
|
|
} catch {
|
|
violations.push("AUTH_URL or NEXTAUTH_URL must be a valid URL in production.");
|
|
}
|
|
}
|
|
|
|
return violations;
|
|
}
|
|
|
|
export function assertSecureRuntimeEnv(env: RuntimeEnv = process.env): void {
|
|
const violations = getRuntimeEnvViolations(env);
|
|
if (violations.length === 0) {
|
|
return;
|
|
}
|
|
|
|
throw new Error(`Invalid production runtime configuration: ${violations.join(" ")}`);
|
|
}
|