security: move JWT secret to environment variable

mmcintosh · mmcintosh · commit 66710fe29161 · 2026-02-20T13:11:08.000-05:00
- Add optional secret parameter to generateToken/verifyToken
- Falls back to hardcoded constant for local dev without wrangler secret
- Add JWT_SECRET to Bindings interface
- Update all generateToken callsites to pass c.env.JWT_SECRET
- Update requireAuth and optionalAuth middleware to pass env secret
- Update magic-link-auth and otp-login plugins

Production: set via `wrangler secret put JWT_SECRET`

Fixes VULN-001
diff --git a/packages/core/src/app.ts b/packages/core/src/app.ts
@@ -53,6 +53,7 @@ export interface Bindings {
   IMAGES_ACCOUNT_ID?: string
   IMAGES_API_TOKEN?: string
   ENVIRONMENT?: string
+  JWT_SECRET?: string
   BUCKET_NAME?: string
   GOOGLE_MAPS_API_KEY?: string
 }
diff --git a/packages/core/src/middleware/auth.ts b/packages/core/src/middleware/auth.ts
@@ -10,25 +10,25 @@ type JWTPayload = {
   iat: number
 }
 
-// JWT secret - in production this should come from environment variables
-const JWT_SECRET = 'your-super-secret-jwt-key-change-in-production'
+// Fallback JWT secret for local development only (no wrangler secret set)
+const JWT_SECRET_FALLBACK = 'your-super-secret-jwt-key-change-in-production'
 
 export class AuthManager {
-  static async generateToken(userId: string, email: string, role: string): Promise<string> {
+  static async generateToken(userId: string, email: string, role: string, secret?: string): Promise<string> {
     const payload: JWTPayload = {
       userId,
       email,
       role,
       exp: Math.floor(Date.now() / 1000) + (60 * 60 * 24), // 24 hours
       iat: Math.floor(Date.now() / 1000)
     }
-    
-    return await sign(payload, JWT_SECRET, 'HS256')
+
+    return await sign(payload, secret || JWT_SECRET_FALLBACK, 'HS256')
   }
 
-  static async verifyToken(token: string): Promise<JWTPayload | null> {
+  static async verifyToken(token: string, secret?: string): Promise<JWTPayload | null> {
     try {
-      const payload = await verify(token, JWT_SECRET, 'HS256') as JWTPayload
+      const payload = await verify(token, secret || JWT_SECRET_FALLBACK, 'HS256') as JWTPayload
       
       // Check if token is expired
       if (payload.exp < Math.floor(Date.now() / 1000)) {
@@ -112,7 +112,8 @@ export const requireAuth = () => {
 
       // If not cached, verify token
       if (!payload) {
-        payload = await AuthManager.verifyToken(token)
+        const jwtSecret = (c.env as any)?.JWT_SECRET
+        payload = await AuthManager.verifyToken(token, jwtSecret)
 
         // Cache the verified payload for 5 minutes
         if (payload && kv) {
@@ -186,7 +187,8 @@ export const optionalAuth = () => {
       }
       
       if (token) {
-        const payload = await AuthManager.verifyToken(token)
+        const jwtSecret = (c.env as any)?.JWT_SECRET
+        const payload = await AuthManager.verifyToken(token, jwtSecret)
         if (payload) {
           c.set('user', payload)
         }
diff --git a/packages/core/src/plugins/available/magic-link-auth/index.ts b/packages/core/src/plugins/available/magic-link-auth/index.ts
@@ -204,7 +204,8 @@ export function createMagicLinkAuthPlugin(): Plugin {
       const jwtToken = await AuthManager.generateToken(
         user.id,
         user.email,
-        user.role
+        user.role,
+        (c.env as any).JWT_SECRET
       )
 
       // Set auth cookie
diff --git a/packages/core/src/plugins/core-plugins/otp-login-plugin/index.ts b/packages/core/src/plugins/core-plugins/otp-login-plugin/index.ts
@@ -282,7 +282,7 @@ export function createOTPLoginPlugin(): Plugin {
       }
 
       // Generate JWT token
-      const token = await AuthManager.generateToken(user.id, user.email, user.role)
+      const token = await AuthManager.generateToken(user.id, user.email, user.role, (c.env as any).JWT_SECRET)
 
       // Set HTTP-only cookie
       setCookie(c, 'auth_token', token, {
diff --git a/packages/core/src/routes/auth.ts b/packages/core/src/routes/auth.ts
@@ -150,7 +150,7 @@ authRoutes.post('/register',
       ).run()
       
       // Generate JWT token
-      const token = await AuthManager.generateToken(userId, normalizedEmail, 'viewer')
+      const token = await AuthManager.generateToken(userId, normalizedEmail, 'viewer', c.env.JWT_SECRET)
       
       // Set HTTP-only cookie
       setCookie(c, 'auth_token', token, {
@@ -226,7 +226,7 @@ authRoutes.post('/login', async (c) => {
       }
       
       // Generate JWT token
-      const token = await AuthManager.generateToken(user.id, user.email, user.role)
+      const token = await AuthManager.generateToken(user.id, user.email, user.role, c.env.JWT_SECRET)
       
       // Set HTTP-only cookie
       setCookie(c, 'auth_token', token, {
@@ -323,7 +323,7 @@ authRoutes.post('/refresh', requireAuth(), async (c) => {
     }
     
     // Generate new token
-    const token = await AuthManager.generateToken(user.userId, user.email, user.role)
+    const token = await AuthManager.generateToken(user.userId, user.email, user.role, c.env.JWT_SECRET)
     
     // Set new cookie
     setCookie(c, 'auth_token', token, {
@@ -436,7 +436,7 @@ authRoutes.post('/register/form', async (c) => {
     ).run()
 
     // Generate JWT token
-    const token = await AuthManager.generateToken(userId, normalizedEmail, role)
+    const token = await AuthManager.generateToken(userId, normalizedEmail, role, c.env.JWT_SECRET)
 
     // Set HTTP-only cookie
     setCookie(c, 'auth_token', token, {
@@ -516,7 +516,7 @@ authRoutes.post('/login/form', async (c) => {
     }
     
     // Generate JWT token
-    const token = await AuthManager.generateToken(user.id, user.email, user.role)
+    const token = await AuthManager.generateToken(user.id, user.email, user.role, c.env.JWT_SECRET)
     
     // Set HTTP-only cookie
     setCookie(c, 'auth_token', token, {
@@ -884,7 +884,7 @@ authRoutes.post('/accept-invitation', async (c) => {
     ).run()
 
     // Generate JWT token for auto-login
-    const authToken = await AuthManager.generateToken(invitedUser.id, invitedUser.email, invitedUser.role)
+    const authToken = await AuthManager.generateToken(invitedUser.id, invitedUser.email, invitedUser.role, c.env.JWT_SECRET)
     
     // Set HTTP-only cookie
     setCookie(c, 'auth_token', authToken, {

Original file line number	Diff line number	Diff line change
`@@ -53,6 +53,7 @@ export interface Bindings {`
`53`	`53`	`IMAGES_ACCOUNT_ID?: string`
`54`	`54`	`IMAGES_API_TOKEN?: string`
`55`	`55`	`ENVIRONMENT?: string`
	`56`	`+ JWT_SECRET?: string`
`56`	`57`	`BUCKET_NAME?: string`
`57`	`58`	`GOOGLE_MAPS_API_KEY?: string`
`58`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -204,7 +204,8 @@ export function createMagicLinkAuthPlugin(): Plugin {`
`204`	`204`	`const jwtToken = await AuthManager.generateToken(`
`205`	`205`	`user.id,`
`206`	`206`	`user.email,`
`207`		`- user.role`
	`207`	`+ user.role,`
	`208`	`+ (c.env as any).JWT_SECRET`
`208`	`209`	`)`
`209`	`210`
`210`	`211`	`// Set auth cookie`
Original file line number	Diff line number	Diff line change
`@@ -282,7 +282,7 @@ export function createOTPLoginPlugin(): Plugin {`
`282`	`282`	`}`
`283`	`283`
`284`	`284`	`// Generate JWT token`
`285`		`- const token = await AuthManager.generateToken(user.id, user.email, user.role)`
	`285`	`+ const token = await AuthManager.generateToken(user.id, user.email, user.role, (c.env as any).JWT_SECRET)`
`286`	`286`
`287`	`287`	`// Set HTTP-only cookie`
`288`	`288`	`setCookie(c, 'auth_token', token, {`