e89cd0ce84
The env-validation module previously only checked that JWT_SECRET and JWT_REFRESH_SECRET were _present_ — it accepted any value, including known placeholders like "CHANGE_ME". This meant a developer could copy .env.example verbatim and run the app with predictable, forgeable tokens. Changes: - Add FORBIDDEN_SECRET_VALUES blocklist (case-insensitive) with 23 common placeholder strings (CHANGE_ME, secret, password, test, etc.) - Enforce minimum 32-character length for JWT secrets (NIST HMAC guidance) - Export validateJwtSecret() for direct testing and reuse - Update .env.example: replace "CHANGE_ME" with generation instructions - Add 14 unit tests covering placeholder rejection, length enforcement, missing-var errors, and production-mode validation Co-Authored-By: Paperclip <noreply@paperclip.ing>
5.2 KiB
5.2 KiB