Merge pull request #21 from Metbcy/fix/download-secret-fail-fast

fix(security): fail fast when download HMAC secret is missing (closes #7)
2026-06-08 20:25:13 +02:00 · 2026-05-11 02:20:27 +08:00 · 2026-05-11 02:20:27 +08:00 · 0ac2744a8e
commit 0ac2744a8e
parent a84c1cc113 eb4414092e
2 changed files with 14 additions and 4 deletions
--- a/backend/.env.example
+++ b/backend/.env.example
@ -1,5 +1,10 @@
 PORT=3001
 FRONTEND_URL=http://localhost:3000
+
+# HMAC key used to sign /download/:token URLs. Required at startup.
+# Generate with: openssl rand -hex 32
+# Use a dedicated secret distinct from SUPABASE_SECRET_KEY.
+DOWNLOAD_SIGNING_SECRET=replace-with-a-random-32-byte-hex-string
 SUPABASE_URL=https://your-project.supabase.co
 SUPABASE_SECRET_KEY=your-supabase-service-role-key

--- a/backend/src/lib/downloadTokens.ts
+++ b/backend/src/lib/downloadTokens.ts
@ -10,11 +10,16 @@ import crypto from "crypto";
 */

 function getSecret(): string {
-    return (
+    const secret =
        process.env.DOWNLOAD_SIGNING_SECRET ??
-        process.env.SUPABASE_SECRET_KEY ??
-        "dev-secret"
-    );
+        process.env.SUPABASE_SECRET_KEY;
+    if (!secret) {
+        throw new Error(
+            "DOWNLOAD_SIGNING_SECRET (or SUPABASE_SECRET_KEY as a fallback) must be set. " +
+                "Generate a strong random value (e.g. `openssl rand -hex 32`) and set it in the environment.",
+        );
+    }
+    return secret;
 }

 function b64urlEncode(buf: Buffer): string {