Initial commit: OmniAI backend server
This commit is contained in:
stringadmin
@@ -0,0 +1,74 @@
|
||||
const DEFAULT_DEV_JWT_SECRET = "dev-secret-change-me";
|
||||
const DEFAULT_DEV_ADMIN_PASSWORD = "changeme";
|
||||
|
||||
let warnedAboutJwtFallback = false;
|
||||
let warnedAboutAdminFallback = false;
|
||||
|
||||
function isProductionLike() {
|
||||
return String(process.env.NODE_ENV || "").toLowerCase() === "production";
|
||||
}
|
||||
|
||||
function getJwtSecret() {
|
||||
const configuredSecret = process.env.JWT_SECRET?.trim();
|
||||
|
||||
if (configuredSecret) {
|
||||
if (isProductionLike() && configuredSecret === DEFAULT_DEV_JWT_SECRET) {
|
||||
throw new Error("JWT_SECRET must not use the development fallback value in production");
|
||||
}
|
||||
if (isProductionLike() && configuredSecret.length < 32) {
|
||||
throw new Error("JWT_SECRET must be at least 32 characters in production");
|
||||
}
|
||||
return configuredSecret;
|
||||
}
|
||||
|
||||
if (isProductionLike()) {
|
||||
throw new Error("JWT_SECRET environment variable is required in production");
|
||||
}
|
||||
|
||||
if (!warnedAboutJwtFallback) {
|
||||
console.warn("[security] JWT_SECRET not set; using development fallback secret");
|
||||
warnedAboutJwtFallback = true;
|
||||
}
|
||||
|
||||
return DEFAULT_DEV_JWT_SECRET;
|
||||
}
|
||||
|
||||
function getDefaultAdminPassword(explicitPassword) {
|
||||
const providedPassword = typeof explicitPassword === "string" ? explicitPassword.trim() : "";
|
||||
const configuredPassword = providedPassword || process.env.DEFAULT_ADMIN_PASSWORD?.trim() || "";
|
||||
|
||||
if (configuredPassword) {
|
||||
if (isProductionLike() && configuredPassword === DEFAULT_DEV_ADMIN_PASSWORD) {
|
||||
throw new Error(
|
||||
"DEFAULT_ADMIN_PASSWORD must not use the development fallback value in production",
|
||||
);
|
||||
}
|
||||
return configuredPassword;
|
||||
}
|
||||
|
||||
if (isProductionLike()) {
|
||||
throw new Error(
|
||||
"DEFAULT_ADMIN_PASSWORD environment variable is required in production when bootstrapping the default admin account",
|
||||
);
|
||||
}
|
||||
|
||||
if (!warnedAboutAdminFallback) {
|
||||
console.warn("[security] DEFAULT_ADMIN_PASSWORD not set; using development fallback password");
|
||||
warnedAboutAdminFallback = true;
|
||||
}
|
||||
|
||||
return DEFAULT_DEV_ADMIN_PASSWORD;
|
||||
}
|
||||
|
||||
function assertRuntimeSecurityConfig() {
|
||||
getJwtSecret();
|
||||
}
|
||||
|
||||
module.exports = {
|
||||
DEFAULT_DEV_ADMIN_PASSWORD,
|
||||
DEFAULT_DEV_JWT_SECRET,
|
||||
assertRuntimeSecurityConfig,
|
||||
getDefaultAdminPassword,
|
||||
getJwtSecret,
|
||||
isProductionLike,
|
||||
};
|
||||
Reference in New Issue
Block a user