HyperSpaceOut/jackboxpartypack-gamepicker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Harden secret handling: remove weak fallback defaults, fail fast on missing env vars

Browse Source 
JWT_SECRET and ADMIN_KEY no longer fall back to insecure defaults.
The app will throw at startup if these env vars are not set.
docker-compose.yml now uses :? syntax to require them.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
cottongin
2026-02-07 14:07:09 -05:00
parent 5cf5901001
commit 974f0e4a67
3 changed files with 10 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
backend/middleware/auth.js
View File

@@ -1,6 +1,9 @@
const jwt = require('jsonwebtoken');
const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-in-production';
if (!process.env.JWT_SECRET) {
throw new Error('JWT_SECRET environment variable is required');
}
const JWT_SECRET = process.env.JWT_SECRET;
function authenticateToken(req, res, next) {
const authHeader = req.headers['authorization'];

5
backend/routes/auth.js
View File

@@ -4,7 +4,10 @@ const { JWT_SECRET, authenticateToken } = require('../middleware/auth');
const router = express.Router();
const ADMIN_KEY = process.env.ADMIN_KEY || 'admin123';
if (!process.env.ADMIN_KEY) {
throw new Error('ADMIN_KEY environment variable is required');
}
const ADMIN_KEY = process.env.ADMIN_KEY;
// Login with admin key
router.post('/login', (req, res) => {

4
docker-compose.yml
View File

@@ -9,8 +9,8 @@ services:
- PORT=5000
- NODE_ENV=production
- DB_PATH=/app/data/jackbox.db
- JWT_SECRET=${JWT_SECRET:-change-me-in-production}
- ADMIN_KEY=${ADMIN_KEY:-admin123}
- JWT_SECRET=${JWT_SECRET:?JWT_SECRET is required}
- ADMIN_KEY=${ADMIN_KEY:?ADMIN_KEY is required}
- DEBUG=false
volumes:
- jackbox-data:/app/data