fix: fail closed when SUPABASE_JWT_SECRET is missing (#420)

[ionfwsrijan]

Summary

requireSupabaseAuth middleware only enforced token presence when SUPABASE_JWT_SECRET was unset — any bearer token-shaped header passed through without cryptographic verification. In production, a missing or mistyped secret silently became an ingest-capable open gate for arbitrary requesters.

Made the middleware return HTTP 500 when the secret is not configured, and added a startup validation that throws in production so the server cannot start in an insecure state.

Related issue

Closes #420

Testing

• I ran the relevant checks locally
• I verified the app still starts
• I tested the affected flow end-to-end

Checklist:

• My code follows the style guidelines of this project
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas

Screenshots / recordings

N/A

Notes

• Middleware: secret check moved to the top — returns 500 immediately if SUPABASE_JWT_SECRET is not set, before any token check
• Startup: production throws a hard error; development logs a warning that requests will be rejected
• Token verification (jwt.verify) now always runs since the secret is guaranteed present past the gate

Security

• No sensitive data included

Summary by CodeRabbit

• Chores

  • Removed duplicate export in validation schemas
  • Expanded test user database
  • Updated server startup initialization behavior

• Tests

  • Enhanced authentication testing with realistic JWT token handling

[vercel]

@ionfwsrijan is attempting to deploy a commit to the firefistisdead's projects Team on Vercel.

A member of the Team first needs to authorize it.

[coderabbitai]

Warning

Review limit reached

@ionfwsrijan, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 35 minutes and 47 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: cb3653af-c14d-4e43-9626-becc15e65dbc

📥 Commits

Reviewing files that changed from the base of the PR and between a218218 and 51fadaf.

📒 Files selected for processing (2)

• rag-service/test_concurrent_uploads.py
• rag-service/test_main.py

📝 Walkthrough

Walkthrough

Server initialization now triggers uploads cleanup when the backend starts. Express 404 handler middleware signature changes from three to two arguments. Authentication tests are updated to use real Supabase-style JWTs signed with the secret, test user data expands, and a duplicate schema export is removed.

Changes

Server and schema maintenance

Layer / File(s)	Summary
Server startup with uploads cleanup initialization server.js, server.test.js	app.listen callback now calls startUploadsCleanup() after logging startup. Test credential cache setup wires only cache helper functions without assigning the internal _credCache object.
Express 404 not-found handler middleware server.js	Catch-all app.use middleware signature changes from (req, res, next) to (req, res) form, affecting Express middleware chaining for the 404 handler.
Authentication testing with real Supabase JWT server.test.js, src/data/users.json	Two /process-from-url route tests replace hardcoded bearer tokens with JWTs signed using process.env.SUPABASE_JWT_SECRET. Test user data file adds multiple email/password pairs.
Schema export deduplication validators/schemas.js	Duplicate sessionsLookupSchema export key removed from module.exports.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• FireFistisDead/pdf-qa-bot#276: Uploads deletion and safety-net cleanup behavior directly connected to the new startUploadsCleanup() call during server startup.
• FireFistisDead/pdf-qa-bot#384: JWT secret enforcement in requireSupabaseAuth middleware directly aligns with the test updates to use real Supabase-signed tokens.

Suggested labels

level:intermediate, quality:clean

Suggested reviewers

• FireFistisDead

Poem

🐰 The server wakes to cleanup's call,
Express picks 404 with care,
JWTs now real and true for all,
Schemas deduplicate with flair!
A rabbit's work, both quick and clean. 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: implementing fail-closed behavior when SUPABASE_JWT_SECRET is missing, addressing issue #420.
Description check	✅ Passed	The description covers all required sections: summary explaining the security issue, related issue link, testing checklist, code review checklist, and security confirmation.
Linked Issues check	✅ Passed	Code changes directly address issue #420 objectives: middleware returns HTTP 500 when secret missing, startup validation prevents insecure server start, and cryptographic verification always runs when secret is present.
Out of Scope Changes check	✅ Passed	All changes are scoped to fixing the fail-open authentication issue: middleware hardening, startup validation, test updates for valid JWTs, schema cleanup, and user data expansion are all necessary for the security fix.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[ionfwsrijan]

@FireFistisDead You may review and merge this