src/securityConfig.js

const DEFAULT_DEV_JWT_SECRET = "dev-secret-change-me";
const DEFAULT_DEV_ADMIN_PASSWORD = "changeme";

let warnedAboutJwtFallback = false;
let warnedAboutAdminFallback = false;

function isProductionLike() {
  return String(process.env.NODE_ENV || "").toLowerCase() === "production";
}

function getJwtSecret() {
  const configuredSecret = process.env.JWT_SECRET?.trim();

  if (configuredSecret) {
    if (isProductionLike() && configuredSecret === DEFAULT_DEV_JWT_SECRET) {
      throw new Error("JWT_SECRET must not use the development fallback value in production");
    }
    if (isProductionLike() && configuredSecret.length < 32) {
      throw new Error("JWT_SECRET must be at least 32 characters in production");
    }
    return configuredSecret;
  }

  if (isProductionLike()) {
    throw new Error("JWT_SECRET environment variable is required in production");
  }

  if (!warnedAboutJwtFallback) {
    console.warn("[security] JWT_SECRET not set; using development fallback secret");
    warnedAboutJwtFallback = true;
  }

  return DEFAULT_DEV_JWT_SECRET;
}

function getDefaultAdminPassword(explicitPassword) {
  const providedPassword = typeof explicitPassword === "string" ? explicitPassword.trim() : "";
  const configuredPassword = providedPassword || process.env.DEFAULT_ADMIN_PASSWORD?.trim() || "";

  if (configuredPassword) {
    if (isProductionLike() && configuredPassword === DEFAULT_DEV_ADMIN_PASSWORD) {
      throw new Error(
        "DEFAULT_ADMIN_PASSWORD must not use the development fallback value in production",
      );
    }
    return configuredPassword;
  }

  if (isProductionLike()) {
    throw new Error(
      "DEFAULT_ADMIN_PASSWORD environment variable is required in production when bootstrapping the default admin account",
    );
  }

  if (!warnedAboutAdminFallback) {
    console.warn("[security] DEFAULT_ADMIN_PASSWORD not set; using development fallback password");
    warnedAboutAdminFallback = true;
  }

  return DEFAULT_DEV_ADMIN_PASSWORD;
}

function assertRuntimeSecurityConfig() {
  getJwtSecret();
}

module.exports = {
  DEFAULT_DEV_ADMIN_PASSWORD,
  DEFAULT_DEV_JWT_SECRET,
  assertRuntimeSecurityConfig,
  getDefaultAdminPassword,
  getJwtSecret,
  isProductionLike,
};
Initial commit: OmniAI backend server 2026-06-02 13:14:10 +08:00			`const DEFAULT_DEV_JWT_SECRET = "dev-secret-change-me";`
			`const DEFAULT_DEV_ADMIN_PASSWORD = "changeme";`

			`let warnedAboutJwtFallback = false;`
			`let warnedAboutAdminFallback = false;`

			`function isProductionLike() {`
			`return String(process.env.NODE_ENV \|\| "").toLowerCase() === "production";`
			`}`

			`function getJwtSecret() {`
			`const configuredSecret = process.env.JWT_SECRET?.trim();`

			`if (configuredSecret) {`
			`if (isProductionLike() && configuredSecret === DEFAULT_DEV_JWT_SECRET) {`
			`throw new Error("JWT_SECRET must not use the development fallback value in production");`
			`}`
			`if (isProductionLike() && configuredSecret.length < 32) {`
			`throw new Error("JWT_SECRET must be at least 32 characters in production");`
			`}`
			`return configuredSecret;`
			`}`

			`if (isProductionLike()) {`
			`throw new Error("JWT_SECRET environment variable is required in production");`
			`}`

			`if (!warnedAboutJwtFallback) {`
			`console.warn("[security] JWT_SECRET not set; using development fallback secret");`
			`warnedAboutJwtFallback = true;`
			`}`

			`return DEFAULT_DEV_JWT_SECRET;`
			`}`

			`function getDefaultAdminPassword(explicitPassword) {`
			`const providedPassword = typeof explicitPassword === "string" ? explicitPassword.trim() : "";`
			`const configuredPassword = providedPassword \|\| process.env.DEFAULT_ADMIN_PASSWORD?.trim() \|\| "";`

			`if (configuredPassword) {`
			`if (isProductionLike() && configuredPassword === DEFAULT_DEV_ADMIN_PASSWORD) {`
			`throw new Error(`
			`"DEFAULT_ADMIN_PASSWORD must not use the development fallback value in production",`
			`);`
			`}`
			`return configuredPassword;`
			`}`

			`if (isProductionLike()) {`
			`throw new Error(`
			`"DEFAULT_ADMIN_PASSWORD environment variable is required in production when bootstrapping the default admin account",`
			`);`
			`}`

			`if (!warnedAboutAdminFallback) {`
			`console.warn("[security] DEFAULT_ADMIN_PASSWORD not set; using development fallback password");`
			`warnedAboutAdminFallback = true;`
			`}`

			`return DEFAULT_DEV_ADMIN_PASSWORD;`
			`}`

			`function assertRuntimeSecurityConfig() {`
			`getJwtSecret();`
			`}`

			`module.exports = {`
			`DEFAULT_DEV_ADMIN_PASSWORD,`
			`DEFAULT_DEV_JWT_SECRET,`
			`assertRuntimeSecurityConfig,`
			`getDefaultAdminPassword,`
			`getJwtSecret,`
			`isProductionLike,`
			`};`