fix: remove hardcoded secret fallbacks from EncryptID (GitGuardian alert)

Require DATABASE_URL and JWT_SECRET via env vars instead of falling back to hardcoded defaults. Removes insecure fallback passwords from compose file as well. Production was already using strong .env secrets. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-15 15:33:02 -07:00 · 2026-02-15 15:33:02 -07:00 · 163ab3c288
parent d8b8864fbc
commit 163ab3c288
3 changed files with 12 additions and 5 deletions
--- a/docker-compose.encryptid.yml
+++ b/docker-compose.encryptid.yml
@ -14,8 +14,8 @@ services:
    environment:
      - NODE_ENV=production
      - PORT=3000
-      - JWT_SECRET=${JWT_SECRET:-change-this-in-production}
-      - DATABASE_URL=postgres://encryptid:${ENCRYPTID_DB_PASSWORD:-encryptid}@encryptid-db:5432/encryptid
+      - JWT_SECRET=${JWT_SECRET}
+      - DATABASE_URL=postgres://encryptid:${ENCRYPTID_DB_PASSWORD}@encryptid-db:5432/encryptid
      - SMTP_HOST=${SMTP_HOST:-mx.jeffemmett.com}
      - SMTP_PORT=${SMTP_PORT:-587}
      - SMTP_USER=${SMTP_USER:-noreply@jeffemmett.com}
@ -48,7 +48,7 @@ services:
    environment:
      - POSTGRES_DB=encryptid
      - POSTGRES_USER=encryptid
-      - POSTGRES_PASSWORD=${ENCRYPTID_DB_PASSWORD:-encryptid}
+      - POSTGRES_PASSWORD=${ENCRYPTID_DB_PASSWORD}
    volumes:
      - encryptid-pgdata:/var/lib/postgresql/data
    networks:
--- a/src/encryptid/db.ts
+++ b/src/encryptid/db.ts
@ -13,7 +13,10 @@ import { join } from 'path';
 // CONNECTION
 // ============================================================================

-const DATABASE_URL = process.env.DATABASE_URL || 'postgres://encryptid:encryptid@localhost:5432/encryptid';
+const DATABASE_URL = process.env.DATABASE_URL;
+if (!DATABASE_URL) {
+  throw new Error('DATABASE_URL environment variable is required');
+}

 const sql = postgres(DATABASE_URL, {
  max: 10,
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@ -45,7 +45,11 @@ const CONFIG = {
  port: process.env.PORT || 3000,
  rpId: 'jeffemmett.com',
  rpName: 'EncryptID',
-  jwtSecret: process.env.JWT_SECRET || 'dev-secret-change-in-production',
+  jwtSecret: (() => {
+    const secret = process.env.JWT_SECRET;
+    if (!secret) throw new Error('JWT_SECRET environment variable is required');
+    return secret;
+  })(),
  sessionDuration: 15 * 60,  // 15 minutes
  refreshDuration: 7 * 24 * 60 * 60,  // 7 days
  smtp: {