From 974f0e4a67a23fbcab351187a64f6da619b878e7 Mon Sep 17 00:00:00 2001
From: cottongin <cottongin@users.noreply.github.com>
Date: Sat, 7 Feb 2026 14:07:09 -0500
Subject: [PATCH] Harden secret handling: remove weak fallback defaults, fail
 fast on missing env vars

JWT_SECRET and ADMIN_KEY no longer fall back to insecure defaults.
The app will throw at startup if these env vars are not set.
docker-compose.yml now uses :? syntax to require them.

Co-authored-by: Cursor <cursoragent@cursor.com>
---
 backend/middleware/auth.js | 5 ++++-
 backend/routes/auth.js     | 5 ++++-
 docker-compose.yml         | 4 ++--
 3 files changed, 10 insertions(+), 4 deletions(-)

diff --git a/backend/middleware/auth.js b/backend/middleware/auth.js
index b4c750f..e596082 100644
--- a/backend/middleware/auth.js
+++ b/backend/middleware/auth.js
@@ -1,6 +1,9 @@
 const jwt = require('jsonwebtoken');
 
-const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-in-production';
+if (!process.env.JWT_SECRET) {
+  throw new Error('JWT_SECRET environment variable is required');
+}
+const JWT_SECRET = process.env.JWT_SECRET;
 
 function authenticateToken(req, res, next) {
   const authHeader = req.headers['authorization'];
diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index 818c195..cd6728f 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -4,7 +4,10 @@ const { JWT_SECRET, authenticateToken } = require('../middleware/auth');
 
 const router = express.Router();
 
-const ADMIN_KEY = process.env.ADMIN_KEY || 'admin123';
+if (!process.env.ADMIN_KEY) {
+  throw new Error('ADMIN_KEY environment variable is required');
+}
+const ADMIN_KEY = process.env.ADMIN_KEY;
 
 // Login with admin key
 router.post('/login', (req, res) => {
diff --git a/docker-compose.yml b/docker-compose.yml
index 93d53ec..db52417 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -9,8 +9,8 @@ services:
       - PORT=5000
       - NODE_ENV=production
       - DB_PATH=/app/data/jackbox.db
-      - JWT_SECRET=${JWT_SECRET:-change-me-in-production}
-      - ADMIN_KEY=${ADMIN_KEY:-admin123}
+      - JWT_SECRET=${JWT_SECRET:?JWT_SECRET is required}
+      - ADMIN_KEY=${ADMIN_KEY:?ADMIN_KEY is required}
       - DEBUG=false
     volumes:
       - jackbox-data:/app/data