refactor(config): export isJwtSecretWeak — dedupe JWT weakness predicate#3799
Conversation
…gle source of truth Deduplicates the JWT weakness predicate that existed independently in config.js (inline in validateJwtSecret) and home.service.js (private JWT_DEFAULTS Set + jwtInsecure expression). Both call sites now use the single exported helper; zero behavior change. JWT_DEFAULT_SECRETS is frozen to prevent accidental mutation of the canonical set. Closes #3792
|
Warning Review limit reached
More reviews will be available in 34 minutes and 21 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (4)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #3799 +/- ##
=======================================
Coverage 90.29% 90.29%
=======================================
Files 152 152
Lines 5038 5038
Branches 1603 1602 -1
=======================================
Hits 4549 4549
Misses 385 385
Partials 104 104
Flags with carried forward coverage won't be shown. Click here to find out more. Continue to review full report in Codecov by Harness.
🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR deduplicates the JWT “weak/default secret” predicate by introducing a canonical isJwtSecretWeak(secret) helper (and exporting the default-secret list) from lib/helpers/config.js, then updating Home’s readiness report to call that shared helper instead of maintaining its own copy. It also adds focused unit tests to lock in the behavior matrix and prevent drift.
Changes:
- Added
isJwtSecretWeak(secret)(and exportedJWT_DEFAULT_SECRETS) inlib/helpers/config.js;validateJwtSecretnow delegates to the helper. - Removed duplicated JWT-default/weakness logic in
modules/home/services/home.service.jsin favor of the shared helper. - Added/extended unit tests covering the full predicate matrix and readiness behavior.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
lib/helpers/config.js |
Exports canonical JWT weakness predicate + default-secret set; validateJwtSecret delegates to it. |
modules/home/services/home.service.js |
Replaces local JWT-default predicate with shared isJwtSecretWeak. |
lib/helpers/tests/config.isJwtSecretWeak.unit.tests.js |
New unit tests covering weak/strong cases and all default placeholders. |
modules/home/tests/home.service.unit.tests.js |
Adds readiness-row tests for JWT security status/message behavior. |
| * @readonly | ||
| */ | ||
| const JWT_DEFAULT_SECRETS = new Set([ | ||
| const JWT_DEFAULT_SECRETS = Object.freeze(new Set([ | ||
| 'WaosSecretKeyExampleToChnageAbsolutely', // devkit upstream placeholder | ||
| 'TrawlNodeDevSecret', // trawl downstream placeholder |
Summary
validateJwtSecretinto an exportedisJwtSecretWeak(secret)helper inlib/helpers/config.jsJWT_DEFAULTSSet + duplicatedjwtInsecureexpression frommodules/home/services/home.service.js; both call sites now import and use the single canonical helperJWT_DEFAULT_SECRETSis now exported (frozen withObject.freeze) for exhaustive test coveragevalidateJwtSecret+ home-readiness tests stay green; newconfig.isJwtSecretWeakunit tests cover every case (empty, null, whitespace, <32-char, each known default, strong secret)Test plan
npm run lint— no issuesnpm run test:unit— 128 suites / 1777 tests, all passinglib/helpers/tests/config.isJwtSecretWeak.unit.tests.js— 15 tests covering full predicate matrixmodules/home/tests/home.service.unit.tests.js— 3 new security-row tests asserting correct delegation to shared helper/critical-review --via deepseek— Verdict: OK (no blockers; 2 nits addressed before commit)Closes #3792