apunkt/mike
1
0
Fork 0
mirror of https://github.com/willchen96/mike.git synced 2026-06-08 20:25:13 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions
mike/backend
History
Metbcy eb4414092e fix(security): fail fast when download HMAC secret is missing 
Resolves the issue where getSecret() silently fell back to the literal
string "dev-secret" when neither DOWNLOAD_SIGNING_SECRET nor
SUPABASE_SECRET_KEY was set. Because the codebase is public, that
fallback let anyone forge valid /download/:token signatures against a
mis-configured deployment.

- Throw at first call instead of returning the hardcoded string, with a
  message pointing the operator at `openssl rand -hex 32`.
- Document DOWNLOAD_SIGNING_SECRET in backend/.env.example so deployers
  following the README know to set it (and that it should be distinct
  from SUPABASE_SECRET_KEY).

Closes #7
2026-05-03 00:12:44 +00:00
..
migrations Add local repo contents 2026-04-29 19:49:06 +02:00
src fix(security): fail fast when download HMAC secret is missing 2026-05-03 00:12:44 +00:00
.env.example fix(security): fail fast when download HMAC secret is missing 2026-05-03 00:12:44 +00:00
.gitignore Add local repo contents 2026-04-29 19:49:06 +02:00
bun.lock Add local repo contents 2026-04-29 19:49:06 +02:00
nixpacks.toml Add local repo contents 2026-04-29 19:49:06 +02:00
package-lock.json Add local repo contents 2026-04-29 19:49:06 +02:00
package.json Add local repo contents 2026-04-29 19:49:06 +02:00
tsconfig.json Add local repo contents 2026-04-29 19:49:06 +02:00