jeffemmett
/
rspace-online
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

security: remove hardcoded secrets, require env vars 

Remove hardcoded encryption fallback and Postgres password defaults
flagged by GitGuardian. ENCRYPTION_SECRET and DATABASE_URL are now
required env vars that throw on missing rather than falling back to
insecure defaults.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Jeff Emmett 2026-02-26 09:45:10 -08:00
parent bfdb09fc4b
commit bd0916b60f
4 changed files with 16 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
server/community-store.ts
View File

@ -904,7 +904,10 @@ export function setEncryption(
* For now, uses a deterministic HMAC-based key from a server secret.
*/
async function deriveSpaceKey(keyId: string): Promise<CryptoKey> {
const serverSecret = process.env.ENCRYPTION_SECRET || 'REDACTED_ENCRYPTION_FALLBACK';
const serverSecret = process.env.ENCRYPTION_SECRET;
if (!serverSecret) {
throw new Error('ENCRYPTION_SECRET environment variable is required');
}
const encoder = new TextEncoder();
const keyMaterial = await crypto.subtle.importKey(
'raw',

6
server/local-first/migration/dry-run.ts
View File

@ -20,8 +20,10 @@ import {
type MigrationResult,
} from './pg-to-automerge';
const DATABASE_URL =
process.env.DATABASE_URL || 'postgres://rspace:REDACTED@rspace-db:5432/rspace';
const DATABASE_URL = process.env.DATABASE_URL;
if (!DATABASE_URL) {
throw new Error('DATABASE_URL environment variable is required');
}
const sql = postgres(DATABASE_URL, { max: 5, idle_timeout: 10 });

6
server/local-first/migration/run-migration.ts
View File

@ -19,8 +19,10 @@ import {
import { syncServer } from '../../sync-instance';
import { loadAllDocs, docIdToPath } from '../doc-persistence';
const DATABASE_URL =
process.env.DATABASE_URL || 'postgres://rspace:REDACTED@rspace-db:5432/rspace';
const DATABASE_URL = process.env.DATABASE_URL;
if (!DATABASE_URL) {
throw new Error('DATABASE_URL environment variable is required');
}
const sql = postgres(DATABASE_URL, { max: 5, idle_timeout: 10 });

6
shared/db/pool.ts
View File

@ -7,8 +7,10 @@
import postgres from "postgres";
const DATABASE_URL =
process.env.DATABASE_URL || "postgres://rspace:REDACTED@rspace-db:5432/rspace";
const DATABASE_URL = process.env.DATABASE_URL;
if (!DATABASE_URL) {
throw new Error("DATABASE_URL environment variable is required");
}
/** Global shared connection */
export const sql = postgres(DATABASE_URL, {