security: move JWT secret to environment variable#660
Open
mmcintosh wants to merge 1 commit intoSonicJs-Org:mainfrom
Open
security: move JWT secret to environment variable#660mmcintosh wants to merge 1 commit intoSonicJs-Org:mainfrom
mmcintosh wants to merge 1 commit intoSonicJs-Org:mainfrom
Conversation
mmcintosh
force-pushed
the
hotfix/jwt-secret-env
branch
from
66710fe to
415c5ce
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| } | ||
|
|
||
| it('valid key with matching scope — calls next()', async () => { | ||
| const hash = await hashApiKey(TOKEN) |
Check notice
Code scanning / CodeQL
Unused variable, import, function or class
| }) | ||
|
|
||
| const mw = requireApiKey('search:read') | ||
| const result = await mw(ctx, mockNext) |
Check notice
Code scanning / CodeQL
Unused variable, import, function or class
- Add optional secret parameter to generateToken/verifyToken - Falls back to hardcoded constant for local dev without wrangler secret - Add JWT_SECRET to Bindings interface - Update all generateToken callsites to pass c.env.JWT_SECRET - Update requireAuth and optionalAuth middleware to pass env secret - Update magic-link-auth and otp-login plugins Production: set via `wrangler secret put JWT_SECRET` Fixes VULN-001
mmcintosh
force-pushed
the
hotfix/jwt-secret-env
branch
from
415c5ce to
b53e5d4
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Security: Move JWT Secret to Environment Variable
Summary
Moves the hardcoded JWT signing secret out of source code and into an environment variable (
JWT_SECRET). Falls back to the old hardcoded value for local development when no env var is set.Changes
1. Environment-Based JWT Secret
generateToken()andverifyToken()accept an optionalsecretparameterc.env.JWT_SECRETat every call siteJWT_SECRET_FALLBACK(the old hardcoded value) when no env var is boundwrangler devworking without extra configuration2. All Call Sites Updated
/auth/register-- passc.env.JWT_SECRET/auth/login-- passc.env.JWT_SECRET/auth/refresh-- passc.env.JWT_SECRET/auth/register/form-- passc.env.JWT_SECRET/auth/login/form-- passc.env.JWT_SECRET/auth/accept-invitation-- passc.env.JWT_SECRET(c.env as any).JWT_SECRET(c.env as any).JWT_SECRET3. Bindings Type Updated
JWT_SECRET?: stringto theBindingsinterface inapp.tsTechnical Details
Core Changes:
packages/core/src/middleware/auth.ts--generateToken(userId, email, role, secret?)andverifyToken(token, secret?)with env secret or fallbackpackages/core/src/app.ts-- AddedJWT_SECRET?: stringtoBindingsinterfacepackages/core/src/routes/auth.ts-- All 6generateToken()calls passc.env.JWT_SECRETPlugin Updates:
packages/core/src/plugins/available/magic-link-auth/index.ts-- Pass env secretpackages/core/src/plugins/core-plugins/otp-login-plugin/index.ts-- Pass env secretTesting
Performance Impact
No performance impact -- same JWT library, same algorithm.
Breaking Changes
None. Without
JWT_SECRETenv var, behavior is identical to before.Migration Notes
wrangler secret put JWT_SECRETwith a strong random value (e.g.,openssl rand -base64 32)Known Issues
None.
Demo / Screenshots
N/A -- no UI changes.
Related Issues
(Security hardening -- no linked issue)
Checklist