Skip to content

πŸ›‘οΈ Sentinel: [CRITICAL/HIGH] Fix hardcoded JWT secret and restrict CORS #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
davidraehles wants to merge 3 commits into from
Closed

πŸ›‘οΈ Sentinel: [CRITICAL/HIGH] Fix hardcoded JWT secret and restrict CORS #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
8140ed2
πŸ›‘οΈ Sentinel: Fix hardcoded JWT secret and harden CORS configuration
google-labs-jules[bot] Feb 18, 2026
a52b2f0
fix: address review feedback - stricter env validation for JWT_SECRET…
OpenCode Feb 18, 2026
3ac7b46
πŸ›‘οΈ Sentinel: Harden JWT_SECRET and ALLOWED_ORIGINS checks
google-labs-jules[bot] Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions .jules/sentinel.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
# Sentinel's Journal - Secure Notes Web App

## 2025-05-15 - [Critical] Hardcoded JWT Secret and Open CORS
**Vulnerability:** The application had a hardcoded fallback for `JWT_SECRET` in `backend/src/middleware/auth.ts`, which would be used if the environment variable was missing. Additionally, CORS was configured to allow all origins in `backend/src/server.ts`.
**Learning:** Hardcoded secrets in code are a major risk as they often end up in version control and can be easily discovered by attackers. Overly permissive CORS allows any website to make requests to the API, increasing the risk of CSRF and other cross-origin attacks.
**Prevention:** Always require secrets to be provided via environment variables, especially in production. Fail fast if they are missing. Use restrictive CORS configurations that only allow trusted origins.
8 changes: 7 additions & 1 deletion backend/src/middleware/auth.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,13 @@ export interface AuthRequest extends Request {
userId?: string;
}

const JWT_SECRET = process.env.JWT_SECRET || 'your-secret-key-change-in-production';
// πŸ›‘οΈ Sentinel: Ensure JWT_SECRET is set in environment, especially in production
// Treat undefined NODE_ENV as production for safety
if (!process.env.JWT_SECRET && (!process.env.NODE_ENV || process.env.NODE_ENV === 'production')) {
throw new Error('JWT_SECRET environment variable is required in production');
}

const JWT_SECRET = process.env.JWT_SECRET || 'dev-secret-key-fallback';

export function authenticateToken(
req: AuthRequest,
Expand Down
14 changes: 13 additions & 1 deletion backend/src/server.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,19 @@ const app = express();
const PORT = process.env.PORT || 3000;

// Middleware
app.use(cors());
// πŸ›‘οΈ Sentinel: Ensure ALLOWED_ORIGINS is set in production
if (!process.env.ALLOWED_ORIGINS && (!process.env.NODE_ENV || process.env.NODE_ENV === 'production')) {
throw new Error('ALLOWED_ORIGINS environment variable is required in production');
}

// πŸ›‘οΈ Sentinel: Restrict CORS to specific origins for better security
app.use(cors({
origin: process.env.ALLOWED_ORIGINS
? process.env.ALLOWED_ORIGINS.split(',').map(s => s.trim())
: ['http://localhost:5173', 'http://localhost:3000'],
methods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization']
}));
Comment on lines +21 to +27
Copy link

Copilot AI Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The CORS configuration falls back to localhost origins when ALLOWED_ORIGINS is not set. While this is acceptable for development, consider adding a production safety check similar to the JWT_SECRET validation. In production, allowing localhost origins could be a security issue. Consider adding validation before the CORS middleware to ensure ALLOWED_ORIGINS is set in production environments.

Copilot uses AI. Check for mistakes.
Copy link
Copy Markdown
Collaborator Author

@davidraehles davidraehles Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Added a matching ALLOWED_ORIGINS production check before the CORS middleware β€” uses the same stricter pattern (throws when NODE_ENV is undefined or 'production').

Copy link
Copy Markdown
Contributor

@google-labs-jules google-labs-jules bot Feb 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Fixed. Added a matching ALLOWED_ORIGINS production check before the CORS middleware β€” uses the same stricter pattern (throws when NODE_ENV is undefined or 'production').

app.use(express.json());

// Routes
Expand Down