Allow weak JWT_SECRET in development, require strong secret in production

Author: davidjosipovic

backend/dist/middleware/auth.js

@@ -6,10 +6,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.authMiddleware = void 0;
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const logger_1 = __importDefault(require("../utils/logger"));
-const JWT_SECRET = process.env.JWT_SECRET;
-if (!JWT_SECRET) {
-    logger_1.default.error('JWT_SECRET is not set in environment variables! Authentication will not work.');
-    throw new Error('JWT_SECRET must be set in environment variables');
+const JWT_SECRET = process.env.JWT_SECRET || 'dev_secret_key_for_local_development';
+// In production, JWT_SECRET must be properly set
+if (process.env.NODE_ENV === 'production' && (!JWT_SECRET || JWT_SECRET === 'dev_secret_key_for_local_development')) {
+    logger_1.default.error('JWT_SECRET is not set in production environment! Authentication will not work.');
+    throw new Error('JWT_SECRET must be set in production environment variables');
 }
 const authMiddleware = (req, res, next) => {
     const authHeader = req.headers.authorization;

backend/dist/resolvers/userResolver.js

@@ -7,10 +7,11 @@ const bcrypt_1 = __importDefault(require("bcrypt"));
 const jsonwebtoken_1 = __importDefault(require("jsonwebtoken"));
 const User_1 = __importDefault(require("../models/User"));
 const logger_1 = __importDefault(require("../utils/logger"));
-const JWT_SECRET = process.env.JWT_SECRET;
-if (!JWT_SECRET) {
-    logger_1.default.error('JWT_SECRET is not set in environment variables!');
-    throw new Error('JWT_SECRET must be set in environment variables');
+const JWT_SECRET = process.env.JWT_SECRET || 'dev_secret_key_for_local_development';
+// In production, JWT_SECRET must be properly set
+if (process.env.NODE_ENV === 'production' && (!JWT_SECRET || JWT_SECRET === 'dev_secret_key_for_local_development')) {
+    logger_1.default.error('JWT_SECRET is not set in production environment!');
+    throw new Error('JWT_SECRET must be set in production environment variables');
 }
 const userResolver = {
     Query: {

backend/src/middleware/auth.ts

@@ -2,11 +2,12 @@ import { Request, Response, NextFunction } from 'express';
 import jwt from 'jsonwebtoken';
 import logger from '../utils/logger';
 
-const JWT_SECRET = process.env.JWT_SECRET;
+const JWT_SECRET = process.env.JWT_SECRET || 'dev_secret_key_for_local_development';
 
-if (!JWT_SECRET) {
-  logger.error('JWT_SECRET is not set in environment variables! Authentication will not work.');
-  throw new Error('JWT_SECRET must be set in environment variables');
+// In production, JWT_SECRET must be properly set
+if (process.env.NODE_ENV === 'production' && (!JWT_SECRET || JWT_SECRET === 'dev_secret_key_for_local_development')) {
+  logger.error('JWT_SECRET is not set in production environment! Authentication will not work.');
+  throw new Error('JWT_SECRET must be set in production environment variables');
 }
 
 export interface AuthRequest extends Request {

backend/src/resolvers/userResolver.ts

@@ -5,11 +5,12 @@ import { IUser } from '../models/User';
 import { AuthRequest } from '../middleware/auth';
 import logger from '../utils/logger';
 
-const JWT_SECRET = process.env.JWT_SECRET;
+const JWT_SECRET = process.env.JWT_SECRET || 'dev_secret_key_for_local_development';
 
-if (!JWT_SECRET) {
-  logger.error('JWT_SECRET is not set in environment variables!');
-  throw new Error('JWT_SECRET must be set in environment variables');
+// In production, JWT_SECRET must be properly set
+if (process.env.NODE_ENV === 'production' && (!JWT_SECRET || JWT_SECRET === 'dev_secret_key_for_local_development')) {
+  logger.error('JWT_SECRET is not set in production environment!');
+  throw new Error('JWT_SECRET must be set in production environment variables');
 }
 
 const userResolver = {