Skip to content

fix(security): fail-closed JWT secret validation in non-dev envs#3791

Merged
PierreBrisorgueil merged 2 commits into
masterfrom
fix/jwt-secret-fail-closed
Jun 5, 2026
Merged

fix(security): fail-closed JWT secret validation in non-dev envs#3791
PierreBrisorgueil merged 2 commits into
masterfrom
fix/jwt-secret-fail-closed

Conversation

@PierreBrisorgueil

@PierreBrisorgueil PierreBrisorgueil commented Jun 4, 2026

Copy link
Copy Markdown
Contributor

Closes #3737

validateJwtSecret now throws (fail-closed) in non-dev/test envs when the JWT secret is empty, under 32 chars, or matches a known default/placeholder. Dev/test keep warn-only behavior (so local + CI still boot).

WARNING — DO NOT MERGE until downstream secret injection is confirmed: every deployed downstream must inject a strong (>=32 char, non-default) JWT secret, else this fail-closed check crashes prod boot.

Phase 0 critical-review: OK with nits (1 medium — JWT_DEFAULT_SECRETS Set duplicated in home.service.js; dedupe or follow-up).

@PierreBrisorgueil
fix(config): validateJwtSecret fail-closed in non-dev envs
6ed6115 
In production/staging environments, throw (crash loud) when the JWT
secret is empty, shorter than 32 chars, or matches any known default
placeholder (devkit + all downstream projects). Dev/test/local keep
the existing console.log warn so local and CI boots are unaffected.

Also tightens the home-service readiness check to the same predicate
(< 32 chars + known defaults) for a consistent security status page.

Closes #3737
Copilot AI review requested due to automatic review settings June 4, 2026 15:13
@coderabbitai

coderabbitai Bot commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown

Warning

Review limit reached

@PierreBrisorgueil, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 15 minutes and 46 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f65e3d3a-db6e-417c-890e-df2498e33c1e

📥 Commits

Reviewing files that changed from the base of the PR and between 853b36b and c8b1004.

📒 Files selected for processing (4)
  • lib/helpers/config.js
  • lib/helpers/tests/config.validateJwtSecret.unit.tests.js
  • modules/home/services/home.service.js
  • modules/home/tests/home.integration.tests.js
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/jwt-secret-fail-closed

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI reviewed Jun 4, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Hardens JWT secret validation to fail closed in non-dev environments, preventing deployments from starting with empty/weak/default JWT signing secrets (per #3737).

Changes:

  • Updated validateJwtSecret to throw in non-dev/test/local envs when the secret is empty, < 32 chars, or matches known default placeholders.
  • Tightened the Home readiness JWT check to flag short secrets and known defaults.
  • Added unit tests covering the environment/secret-strength behavior matrix for validateJwtSecret.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 4 comments.

File Description
modules/home/services/home.service.js Updates readiness JWT secret weakness detection (length + known defaults).
lib/helpers/config.js Implements fail-closed JWT secret validation with environment-based behavior.
lib/helpers/tests/config.validateJwtSecret.unit.tests.js Adds unit coverage for the new validation rules across environments.

Comment thread lib/helpers/config.js
Comment on lines +86 to +91
const secret = config.jwt?.secret;
const env = process.env.NODE_ENV ?? 'development';

const isWeak = !secret || secret.trim() === '' || secret.length < 32 || JWT_DEFAULT_SECRETS.has(secret);

if (!isWeak) return; // strong secret — nothing to do
Comment thread modules/home/services/home.service.js
Comment on lines 87 to 89
const jwtSecret = config.jwt?.secret;
const jwtInsecure = !jwtSecret || jwtSecret.trim() === '' || jwtSecret === 'WaosSecretKeyExampleToChnageAbsolutely';
const jwtInsecure = !jwtSecret || jwtSecret.trim() === '' || jwtSecret.length < 32 || JWT_DEFAULTS.has(jwtSecret);
checks.push({
Comment thread modules/home/services/home.service.js
Comment on lines +79 to +86
const JWT_DEFAULTS = new Set([
'WaosSecretKeyExampleToChnageAbsolutely',
'TrawlNodeDevSecret',
'ComesNodeDevSecret',
'MontaineNodeDevSecret',
'PierrebNodeDevSecret',
'IsmNodeDevSecret',
]);
Comment thread lib/helpers/tests/config.validateJwtSecret.unit.tests.js
Comment on lines +34 to +37
afterEach(() => {
consoleLogSpy.mockRestore();
process.env.NODE_ENV = originalEnv;
});
@PierreBrisorgueil PierreBrisorgueil mentioned this pull request Jun 4, 2026
Closed
@codecov

codecov Bot commented Jun 4, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.25%. Comparing base (cdacb9b) to head (c8b1004).
⚠️ Report is 6 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #3791      +/-   ##
==========================================
+ Coverage   90.19%   90.25%   +0.05%     
==========================================
  Files         152      152              
  Lines        5020     5030      +10     
  Branches     1598     1601       +3     
==========================================
+ Hits         4528     4540      +12     
+ Misses        387      386       -1     
+ Partials      105      104       -1
Flag Coverage Δ
integration 59.00% <35.71%> (-0.06%) ⬇️
unit 69.44% <100.00%> (+0.10%) ⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 853b36b...c8b1004. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@PierreBrisorgueil PierreBrisorgueil merged commit fbba499 into master Jun 5, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[P1][security] validateJwtSecret should fail-closed on any default secret in non-dev envs

2 participants

@PierreBrisorgueil