Skip to content

fix(netlify-env): stabilize auth/csrf secrets in SSR runtime via readServerEnv#432

Merged
liudmylasovetovs merged 1 commit intodevelopfrom
sl/feat/db-optimization
Mar 29, 2026
Merged

fix(netlify-env): stabilize auth/csrf secrets in SSR runtime via readServerEnv#432
liudmylasovetovs merged 1 commit intodevelopfrom
sl/feat/db-optimization

Conversation

@LesiaUKR
Copy link
Copy Markdown
Collaborator

@LesiaUKR LesiaUKR commented Mar 29, 2026
edited by coderabbitai bot
Loading

Problem

develop on Netlify could return 5xx/502 because some server env vars are not always available through process.env at runtime.

Root cause

Approach #8 (readServerEnv + Netlify fallback) was applied only partially:

  • AUTH_SECRET in lib/auth.ts still used direct process.env
  • CSRF_SECRET in lib/security/csrf.ts still used direct process.env

Changes

  • Updated frontend/lib/auth.ts:
    • read AUTH_SECRET via readServerEnv('AUTH_SECRET')
  • Updated frontend/lib/security/csrf.ts:
    • read CSRF_SECRET via readServerEnv('CSRF_SECRET')

Why this is safe

  • Server-only usage; no secret exposure to client bundles.
  • Existing fail-closed checks remain (throw when secret is truly missing).

Verification checklist

  • Open /en on Netlify develop (no 502)
  • Call /api/auth/me (no 5xx)
  • Run a POST flow protected by CSRF (works as expected)

Summary by CodeRabbit

  • Refactor
    • Internal improvements to authentication and security handling.

@LesiaUKR
fix(env): use readServerEnv for AUTH_SECRET and CSRF_SECRET on Netlify
99abec9 
Switch server secret reads from process.env to readServerEnv() in auth and CSRF modules.
This adds Netlify runtime fallback (Netlify.env.get) and prevents 5xx/502 when process.env is empty.
Fail-closed behavior is preserved if secrets are truly missing.
@vercel
Copy link
Copy Markdown
Contributor

vercel bot commented Mar 29, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment
Project Deployment Actions Updated (UTC)
devlovers-net Ignored Ignored Preview Mar 29, 2026 4:21pm

Request Review

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 29, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: f40e80b1-b5e2-4748-8203-a58bfe68d6dc

📥 Commits

Reviewing files that changed from the base of the PR and between 1ee6d1e and 99abec9.

📒 Files selected for processing (2)
  • frontend/lib/auth.ts
  • frontend/lib/security/csrf.ts
📝 Walkthrough

Walkthrough

Two authentication secret retrieval methods were refactored to use a centralized readServerEnv() helper function instead of directly accessing process.env. The changes affect AUTH_SECRET initialization and CSRF_SECRET retrieval, with all error handling preserved.

Changes

Cohort / File(s) Summary
Secret Retrieval Refactoring
frontend/lib/auth.ts, frontend/lib/security/csrf.ts		 Replaced direct process.env access with readServerEnv() helper for AUTH_SECRET and CSRF_SECRET retrieval. Error handling and validation logic remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Possibly related PRs

Suggested reviewers

  • ViktorSvertoka
  • AM1007
  • liudmylasovetovs

Poem

🐰 A hop through secrets, old and new,
From process.env to helpers true,
AUTH and CSRF now centralized,
Environment readers standardized! 🔐✨

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (2 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'fix(netlify-env): stabilize auth/csrf secrets in SSR runtime via readServerEnv' directly and specifically describes the main change: updating AUTH_SECRET and CSRF_SECRET retrieval to use readServerEnv for SSR stability.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch sl/feat/db-optimization

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@liudmylasovetovs liudmylasovetovs merged commit 10d2e45 into develop Mar 29, 2026
8 checks passed
@liudmylasovetovs liudmylasovetovs deleted the sl/feat/db-optimization branch March 29, 2026 15:04
@LesiaUKR LesiaUKR restored the sl/feat/db-optimization branch March 29, 2026 16:20
@coderabbitai coderabbitai bot mentioned this pull request Mar 29, 2026
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@liudmylasovetovs liudmylasovetovs liudmylasovetovs approved these changes

@ViktorSvertoka ViktorSvertoka Awaiting requested review from ViktorSvertoka ViktorSvertoka is a code owner

@AM1007 AM1007 Awaiting requested review from AM1007 AM1007 is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@LesiaUKR @liudmylasovetovs