fix(config): fail fast at startup if SECRET env var is missing

A hardcoded fallback 'acapisecret' was silently used when SECRET was
not set, allowing JWT tokens to be forged by anyone knowing the default.
The app now throws at module load time if SECRET is absent.
This commit is contained in:
2026-04-26 20:53:34 +02:00
parent ebc7c7751a
commit 21f3560e08
+5 -1
View File
@@ -1,8 +1,12 @@
if (!process.env.SECRET) {
throw new Error('SECRET environment variable is required and must not be empty');
}
const config = { const config = {
secret: process.env.SECRET || 'acapisecret', secret: process.env.SECRET,
session_lifetime: parseInt(process.env.SESSION_LIFETIME) || 21600, // 21600 secondes = 6 heures session_lifetime: parseInt(process.env.SESSION_LIFETIME) || 21600, // 21600 secondes = 6 heures
initAuth: () => { initAuth: () => {
require('./passport-local'); require('./passport-local');