From 21f3560e08f92d2f187580f25baffcd9f0854f63 Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 26 Apr 2026 20:53:34 +0200 Subject: [PATCH] fix(config): fail fast at startup if SECRET env var is missing A hardcoded fallback 'acapisecret' was silently used when SECRET was not set, allowing JWT tokens to be forged by anyone knowing the default. The app now throws at module load time if SECRET is absent. --- src/config/index.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/config/index.js b/src/config/index.js index 8a25051..59d862f 100644 --- a/src/config/index.js +++ b/src/config/index.js @@ -1,8 +1,12 @@ +if (!process.env.SECRET) { + throw new Error('SECRET environment variable is required and must not be empty'); +} + const config = { - secret: process.env.SECRET || 'acapisecret', + secret: process.env.SECRET, session_lifetime: parseInt(process.env.SESSION_LIFETIME) || 21600, // 21600 secondes = 6 heures initAuth: () => { require('./passport-local');