Krow/Krow-workspace
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(backend): harden runtime config and verification access

Browse Source
This commit is contained in:
zouantchaw
2026-03-19 16:36:28 +01:00
parent 8d0ef309e6
commit 2f25d10368
15 changed files with 262 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
backend/unified-api/src/app.js
View File

@@ -6,10 +6,12 @@ import { errorHandler, notFoundHandler } from './middleware/error-handler.js';
import { healthRouter } from './routes/health.js';
import { createAuthRouter } from './routes/auth.js';
import { createProxyRouter } from './routes/proxy.js';
import { assertSafeRuntimeConfig } from './lib/runtime-safety.js';
const logger = pino({ level: process.env.LOG_LEVEL || 'info' });
export function createApp(options = {}) {
assertSafeRuntimeConfig();
const app = express();
app.use(requestContext);

35
backend/unified-api/src/lib/runtime-safety.js Normal file
View File

@@ -0,0 +1,35 @@
function runtimeEnvName() {
return `${process.env.APP_ENV || process.env.NODE_ENV || ''}`.trim().toLowerCase();
}
function isProtectedEnv() {
return ['staging', 'prod', 'production'].includes(runtimeEnvName());
}
export function assertSafeRuntimeConfig() {
if (!isProtectedEnv()) {
return;
}
const errors = [];
if (process.env.AUTH_BYPASS === 'true') {
errors.push('AUTH_BYPASS must be disabled');
}
if (!process.env.CORE_API_BASE_URL) {
errors.push('CORE_API_BASE_URL is required');
}
if (!process.env.COMMAND_API_BASE_URL) {
errors.push('COMMAND_API_BASE_URL is required');
}
if (!process.env.QUERY_API_BASE_URL) {
errors.push('QUERY_API_BASE_URL is required');
}
if (errors.length > 0) {
throw new Error(`Unsafe unified-api runtime config for ${runtimeEnvName()}: ${errors.join('; ')}`);
}
}

13
backend/unified-api/test/app.test.js
View File

@@ -29,6 +29,19 @@ test('GET /readyz reports database not configured when env is absent', async ()
assert.equal(res.body.status, 'DATABASE_NOT_CONFIGURED');
});
test('createApp fails fast in protected env when upstream config is unsafe', async () => {
process.env.APP_ENV = 'staging';
process.env.AUTH_BYPASS = 'true';
delete process.env.CORE_API_BASE_URL;
delete process.env.COMMAND_API_BASE_URL;
delete process.env.QUERY_API_BASE_URL;
assert.throws(() => createApp(), /AUTH_BYPASS must be disabled/);
delete process.env.APP_ENV;
process.env.AUTH_BYPASS = 'true';
});
test('POST /auth/client/sign-in validates payload', async () => {
const app = createApp();
const res = await request(app).post('/auth/client/sign-in').send({