security: move JWT secret to environment variable

- Add optional secret parameter to generateToken/verifyToken
- Falls back to hardcoded constant for local dev without wrangler secret
- Add JWT_SECRET to Bindings interface
- Update all generateToken callsites to pass c.env.JWT_SECRET
- Update requireAuth and optionalAuth middleware to pass env secret
- Update magic-link-auth and otp-login plugins

Production: set via `wrangler secret put JWT_SECRET`

Fixes VULN-001

Author: mmcintosh

packages/core/src/app.ts

@@ -56,6 +56,7 @@ export interface Bindings {
   IMAGES_ACCOUNT_ID?: string
   IMAGES_API_TOKEN?: string
   ENVIRONMENT?: string
+  JWT_SECRET?: string
   BUCKET_NAME?: string
   GOOGLE_MAPS_API_KEY?: string
   REQUIRE_API_KEY?: string

packages/core/src/middleware/auth.ts

@@ -10,25 +10,25 @@ type JWTPayload = {
   iat: number
 }
 
-// JWT secret - in production this should come from environment variables
-const JWT_SECRET = 'your-super-secret-jwt-key-change-in-production'
+// Fallback JWT secret for local development only (no wrangler secret set)
+const JWT_SECRET_FALLBACK = 'your-super-secret-jwt-key-change-in-production'
 
 export class AuthManager {
-  static async generateToken(userId: string, email: string, role: string): Promise<string> {
+  static async generateToken(userId: string, email: string, role: string, secret?: string): Promise<string> {
     const payload: JWTPayload = {
       userId,
       email,
       role,
       exp: Math.floor(Date.now() / 1000) + (60 * 60 * 24), // 24 hours
       iat: Math.floor(Date.now() / 1000)
     }
-    
-    return await sign(payload, JWT_SECRET, 'HS256')
+
+    return await sign(payload, secret || JWT_SECRET_FALLBACK, 'HS256')
   }
 
-  static async verifyToken(token: string): Promise<JWTPayload | null> {
+  static async verifyToken(token: string, secret?: string): Promise<JWTPayload | null> {
     try {
-      const payload = await verify(token, JWT_SECRET, 'HS256') as JWTPayload
+      const payload = await verify(token, secret || JWT_SECRET_FALLBACK, 'HS256') as JWTPayload
 
       // Check if token is expired
       if (payload.exp < Math.floor(Date.now() / 1000)) {
@@ -198,7 +198,8 @@ export const requireAuth = () => {
 
       // If not cached, verify token
       if (!payload) {
-        payload = await AuthManager.verifyToken(token)
+        const jwtSecret = (c.env as any)?.JWT_SECRET
+        payload = await AuthManager.verifyToken(token, jwtSecret)
 
         // Cache the verified payload for 5 minutes
         if (payload && kv) {
@@ -272,7 +273,8 @@ export const optionalAuth = () => {
       }
 
       if (token) {
-        const payload = await AuthManager.verifyToken(token)
+        const jwtSecret = (c.env as any)?.JWT_SECRET
+        const payload = await AuthManager.verifyToken(token, jwtSecret)
         if (payload) {
           c.set('user', payload)
         }

packages/core/src/plugins/available/magic-link-auth/index.ts

@@ -204,7 +204,8 @@ export function createMagicLinkAuthPlugin(): Plugin {
       const jwtToken = await AuthManager.generateToken(
         user.id,
         user.email,
-        user.role
+        user.role,
+        (c.env as any).JWT_SECRET
       )
 
       // Set auth cookie

packages/core/src/plugins/core-plugins/otp-login-plugin/index.ts

@@ -282,7 +282,7 @@ export function createOTPLoginPlugin(): Plugin {
       }
 
       // Generate JWT token
-      const token = await AuthManager.generateToken(user.id, user.email, user.role)
+      const token = await AuthManager.generateToken(user.id, user.email, user.role, (c.env as any).JWT_SECRET)
 
       // Set HTTP-only cookie
       setCookie(c, 'auth_token', token, {

packages/core/src/routes/auth.ts

@@ -150,7 +150,7 @@ authRoutes.post('/register',
       ).run()
 
       // Generate JWT token
-      const token = await AuthManager.generateToken(userId, normalizedEmail, 'viewer')
+      const token = await AuthManager.generateToken(userId, normalizedEmail, 'viewer', c.env.JWT_SECRET)
 
       // Set HTTP-only cookie
       setCookie(c, 'auth_token', token, {
@@ -238,7 +238,7 @@ authRoutes.post('/login', async (c) => {
       }
 
       // Generate JWT token
-      const token = await AuthManager.generateToken(user.id, user.email, user.role)
+      const token = await AuthManager.generateToken(user.id, user.email, user.role, c.env.JWT_SECRET)
 
       // Set HTTP-only cookie
       setCookie(c, 'auth_token', token, {
@@ -335,7 +335,7 @@ authRoutes.post('/refresh', requireAuth(), async (c) => {
     }
 
     // Generate new token
-    const token = await AuthManager.generateToken(user.userId, user.email, user.role)
+    const token = await AuthManager.generateToken(user.userId, user.email, user.role, c.env.JWT_SECRET)
 
     // Set new cookie
     setCookie(c, 'auth_token', token, {
@@ -448,7 +448,7 @@ authRoutes.post('/register/form', async (c) => {
     ).run()
 
     // Generate JWT token
-    const token = await AuthManager.generateToken(userId, normalizedEmail, role)
+    const token = await AuthManager.generateToken(userId, normalizedEmail, role, c.env.JWT_SECRET)
 
     // Set HTTP-only cookie
     setCookie(c, 'auth_token', token, {
@@ -540,7 +540,7 @@ authRoutes.post('/login/form', async (c) => {
     }
 
     // Generate JWT token
-    const token = await AuthManager.generateToken(user.id, user.email, user.role)
+    const token = await AuthManager.generateToken(user.id, user.email, user.role, c.env.JWT_SECRET)
 
     // Set HTTP-only cookie
     setCookie(c, 'auth_token', token, {
@@ -908,7 +908,7 @@ authRoutes.post('/accept-invitation', async (c) => {
     ).run()
 
     // Generate JWT token for auto-login
-    const authToken = await AuthManager.generateToken(invitedUser.id, invitedUser.email, invitedUser.role)
+    const authToken = await AuthManager.generateToken(invitedUser.id, invitedUser.email, invitedUser.role, c.env.JWT_SECRET)
 
     // Set HTTP-only cookie
     setCookie(c, 'auth_token', authToken, {