Severity: High
Type: Security hardening
Scope: Auth, Notifications
Labels: security, refactoring, Official Campaign
Description
Two separate code paths accept a default secret when JWT_SECRET is not present in the environment, instead of failing fast:
JwtStrategy (src/auth/jwt.strategy.ts, line ~12): secretOrKey: configService.get<string>('JWT_SECRET', 'default-secret').NotificationsGateway.handleConnection (src/notifications/notifications.gateway.ts, line ~65): this.configService.get<string>('JWT_SECRET', 'orbitchain-default-secret').
Neither module logs a warning at boot when the fallback is used, and the ConfigModule is not validated at application startup (src/main.ts does not call validate on ConfigService). A misconfigured production deployment can therefore boot against a known constant string that an attacker can forge a token for.
Recommendation
- Remove both default-value fallbacks and throw an
Error at module construction if JWT_SECRET is missing or shorter than, e.g., 32 bytes.
- Add a
ConfigValidationSchema (e.g., class-validator) on ConfigModule.forRoot({ validate }) that requires JWT_SECRET, STELLAR_RPC_URL, STELLAR_NETWORK_PASSPHRASE, REDIS_URL, DATABASE_URL.
- Centralise JWT verification options in a single
@Injectable() provider so the gateway and the HTTP strategy cannot drift apart.
Severity: High
Type: Security hardening
Scope: Auth, Notifications
Labels:
security,refactoring,Official CampaignDescription
Two separate code paths accept a default secret when
JWT_SECRETis not present in the environment, instead of failing fast:JwtStrategy(src/auth/jwt.strategy.ts, line ~12):secretOrKey: configService.get<string>('JWT_SECRET', 'default-secret').NotificationsGateway.handleConnection(src/notifications/notifications.gateway.ts, line ~65):this.configService.get<string>('JWT_SECRET', 'orbitchain-default-secret').Neither module logs a warning at boot when the fallback is used, and the
ConfigModuleis not validated at application startup (src/main.tsdoes not callvalidateonConfigService). A misconfigured production deployment can therefore boot against a known constant string that an attacker can forge a token for.Recommendation
Errorat module construction ifJWT_SECRETis missing or shorter than, e.g., 32 bytes.ConfigValidationSchema(e.g.,class-validator) onConfigModule.forRoot({ validate })that requiresJWT_SECRET,STELLAR_RPC_URL,STELLAR_NETWORK_PASSPHRASE,REDIS_URL,DATABASE_URL.@Injectable()provider so the gateway and the HTTP strategy cannot drift apart.