mirror of
https://github.com/willchen96/mike.git
synced 2026-06-10 20:35:12 +02:00
eb4414092e
Resolves the issue where getSecret() silently fell back to the literal string "dev-secret" when neither DOWNLOAD_SIGNING_SECRET nor SUPABASE_SECRET_KEY was set. Because the codebase is public, that fallback let anyone forge valid /download/:token signatures against a mis-configured deployment. - Throw at first call instead of returning the hardcoded string, with a message pointing the operator at `openssl rand -hex 32`. - Document DOWNLOAD_SIGNING_SECRET in backend/.env.example so deployers following the README know to set it (and that it should be distinct from SUPABASE_SECRET_KEY). Closes #7
19 lines
675 B
Text
19 lines
675 B
Text
PORT=3001
|
|
FRONTEND_URL=http://localhost:3000
|
|
|
|
# HMAC key used to sign /download/:token URLs. Required at startup.
|
|
# Generate with: openssl rand -hex 32
|
|
# Use a dedicated secret distinct from SUPABASE_SECRET_KEY.
|
|
DOWNLOAD_SIGNING_SECRET=replace-with-a-random-32-byte-hex-string
|
|
SUPABASE_URL=https://your-project.supabase.co
|
|
SUPABASE_SECRET_KEY=your-supabase-service-role-key
|
|
|
|
R2_ENDPOINT_URL=https://your-account-id.r2.cloudflarestorage.com
|
|
R2_ACCESS_KEY_ID=your-r2-access-key
|
|
R2_SECRET_ACCESS_KEY=your-r2-secret-key
|
|
R2_BUCKET_NAME=mike
|
|
|
|
GEMINI_API_KEY=your-gemini-key
|
|
ANTHROPIC_API_KEY=your-anthropic-key
|
|
OPENROUTER_API_KEY=your-openrouter-key
|
|
RESEND_API_KEY=your-resend-key
|