Krow/Krow-workspace
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): harden runtime config and verification access

Browse Source
This commit is contained in:
zouantchaw
2026-03-19 16:36:28 +01:00
parent 8d0ef309e6
commit 2f25d10368
15 changed files with 262 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/command-api/src/app.js
View File

@@ -6,10 +6,12 @@ import { errorHandler, notFoundHandler } from './middleware/error-handler.js';
import { healthRouter } from './routes/health.js';
import { createCommandsRouter } from './routes/commands.js';
import { createMobileCommandsRouter } from './routes/mobile.js';
import { assertSafeRuntimeConfig } from './lib/runtime-safety.js';
const logger = pino({ level: process.env.LOG_LEVEL || 'info' });
export function createApp(options = {}) {
assertSafeRuntimeConfig();
const app = express();
app.use(requestContext);

44
backend/command-api/src/lib/runtime-safety.js Normal file
View File

@@ -0,0 +1,44 @@
function runtimeEnvName() {
return `${process.env.APP_ENV || process.env.NODE_ENV || ''}`.trim().toLowerCase();
}
function isProtectedEnv() {
return ['staging', 'prod', 'production'].includes(runtimeEnvName());
}
export function assertSafeRuntimeConfig() {
if (!isProtectedEnv()) {
return;
}
const errors = [];
if (process.env.AUTH_BYPASS === 'true') {
errors.push('AUTH_BYPASS must be disabled');
}
if (`${process.env.IDEMPOTENCY_STORE || ''}`.trim().toLowerCase() === 'memory') {
errors.push('IDEMPOTENCY_STORE must not be memory');
}
if (errors.length > 0) {
throw new Error(`Unsafe command-api runtime config for ${runtimeEnvName()}: ${errors.join('; ')}`);
}
}
export function assertSafeWorkerRuntimeConfig() {
if (!isProtectedEnv()) {
return;
}
const errors = [];
const deliveryMode = `${process.env.PUSH_DELIVERY_MODE || 'live'}`.trim().toLowerCase();
if (deliveryMode !== 'live') {
errors.push('PUSH_DELIVERY_MODE must be live');
}
if (errors.length > 0) {
throw new Error(`Unsafe notification-worker runtime config for ${runtimeEnvName()}: ${errors.join('; ')}`);
}
}

2
backend/command-api/src/worker-app.js
View File

@@ -1,10 +1,12 @@
import express from 'express';
import pino from 'pino';
import pinoHttp from 'pino-http';
import { assertSafeWorkerRuntimeConfig } from './lib/runtime-safety.js';
const logger = pino({ level: process.env.LOG_LEVEL || 'info' });
export function createWorkerApp({ dispatch = async () => ({}) } = {}) {
assertSafeWorkerRuntimeConfig();
const app = express();
app.use(