Krow/Krow-workspace
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): harden runtime config and verification access

Browse Source
This commit is contained in:
zouantchaw
2026-03-19 16:36:28 +01:00
parent 8d0ef309e6
commit 2f25d10368
15 changed files with 262 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

44
backend/command-api/src/lib/runtime-safety.js Normal file
View File

@@ -0,0 +1,44 @@
function runtimeEnvName() {
return `${process.env.APP_ENV || process.env.NODE_ENV || ''}`.trim().toLowerCase();
}
function isProtectedEnv() {
return ['staging', 'prod', 'production'].includes(runtimeEnvName());
}
export function assertSafeRuntimeConfig() {
if (!isProtectedEnv()) {
return;
}
const errors = [];
if (process.env.AUTH_BYPASS === 'true') {
errors.push('AUTH_BYPASS must be disabled');
}
if (`${process.env.IDEMPOTENCY_STORE || ''}`.trim().toLowerCase() === 'memory') {
errors.push('IDEMPOTENCY_STORE must not be memory');
}
if (errors.length > 0) {
throw new Error(`Unsafe command-api runtime config for ${runtimeEnvName()}: ${errors.join('; ')}`);
}
}
export function assertSafeWorkerRuntimeConfig() {
if (!isProtectedEnv()) {
return;
}
const errors = [];
const deliveryMode = `${process.env.PUSH_DELIVERY_MODE || 'live'}`.trim().toLowerCase();
if (deliveryMode !== 'live') {
errors.push('PUSH_DELIVERY_MODE must be live');
}
if (errors.length > 0) {
throw new Error(`Unsafe notification-worker runtime config for ${runtimeEnvName()}: ${errors.join('; ')}`);
}
}