Krow/Krow-workspace
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): harden runtime config and verification access

Browse Source
This commit is contained in:
zouantchaw
2026-03-19 16:36:28 +01:00
parent 8d0ef309e6
commit 2f25d10368
15 changed files with 262 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/query-api/src/app.js
View File

@@ -6,10 +6,12 @@ import { errorHandler, notFoundHandler } from './middleware/error-handler.js';
import { healthRouter } from './routes/health.js';
import { createQueryRouter } from './routes/query.js';
import { createMobileQueryRouter } from './routes/mobile.js';
import { assertSafeRuntimeConfig } from './lib/runtime-safety.js';
const logger = pino({ level: process.env.LOG_LEVEL || 'info' });
export function createApp(options = {}) {
assertSafeRuntimeConfig();
const app = express();
app.use(requestContext);

17
backend/query-api/src/lib/runtime-safety.js Normal file
View File

@@ -0,0 +1,17 @@
function runtimeEnvName() {
return `${process.env.APP_ENV || process.env.NODE_ENV || ''}`.trim().toLowerCase();
}
function isProtectedEnv() {
return ['staging', 'prod', 'production'].includes(runtimeEnvName());
}
export function assertSafeRuntimeConfig() {
if (!isProtectedEnv()) {
return;
}
if (process.env.AUTH_BYPASS === 'true') {
throw new Error(`Unsafe query-api runtime config for ${runtimeEnvName()}: AUTH_BYPASS must be disabled`);
}
}

10
backend/query-api/test/app.test.js
View File

@@ -37,6 +37,16 @@ test('GET /readyz reports database not configured when no database env is presen
assert.equal(res.body.status, 'DATABASE_NOT_CONFIGURED');
});
test('createApp fails fast in protected env when auth bypass is enabled', async () => {
process.env.APP_ENV = 'staging';
process.env.AUTH_BYPASS = 'true';
assert.throws(() => createApp(), /AUTH_BYPASS must be disabled/);
delete process.env.APP_ENV;
process.env.AUTH_BYPASS = 'true';
});
test('GET unknown route returns not found envelope', async () => {
const app = createApp();
const res = await request(app).get('/query/unknown');