_⚠️ Potential issue_ | _🟠 Major_ #4
Description
Avoid hardcoded fallback secret in authentication configuration.
Using 'secret' as a fallback for BETTER_AUTH_SECRET is a security risk. If the environment variable is not set in production, sessions could be forged. Consider throwing an error if the secret is missing in production, or at minimum use a longer random default that makes the misconfiguration obvious.
🔎 Proposed fix
export const auth = betterAuth({
baseURL: process.env.BETTER_AUTH_URL || 'http://localhost:3000',
- secret: process.env.BETTER_AUTH_SECRET || 'secret',
+ secret: process.env.BETTER_AUTH_SECRET || (() => {
+ if (process.env.NODE_ENV === 'production') {
+ throw new Error('BETTER_AUTH_SECRET must be set in production')
+ }
+ return 'development-only-secret-do-not-use-in-production'
+ })(),📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
export const auth = betterAuth({
baseURL: process.env.BETTER_AUTH_URL || 'http://localhost:3000',
secret: process.env.BETTER_AUTH_SECRET || (() => {
if (process.env.NODE_ENV === 'production') {
throw new Error('BETTER_AUTH_SECRET must be set in production')
}
return 'development-only-secret-do-not-use-in-production'
})(),
🤖 Prompt for AI Agents
In src/lib/auth.ts around lines 9 to 10, the configuration currently falls back
to the hardcoded secret 'secret' which is insecure; change this so that in
production (NODE_ENV === 'production') the app throws an explicit error if
BETTER_AUTH_SECRET is not set, and otherwise for non-production use a clearly
identifiable strong random default or warn loudly — ensure the secret value is
read from process.env.BETTER_AUTH_SECRET and that there is no silent fallback to
'secret', raising a startup exception in production when missing.
Originally posted by @coderabbitai[bot] in #1 (comment)