admin/podcastdistributiona
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Security & robustness hardening pass

Browse Source 
Cross-cutting input-validation, isolation, and DoS-resistance fixes across
the app, API, billing, queue, and infra layers.

- Runtime validation (zod) for client-supplied admin actions (role/plan/
  limits), series generation index, and all pg-boss queue payloads
- Auth: require email verification before sign-in; reject weak/placeholder/
  short BETTER_AUTH_SECRET in production
- Billing: sanitize Stripe/PayPal errors (log server-side, generic to client);
  race-safe subscription upsert; only count "processed" webhook events as
  handled; verify org membership in getEffectivePlan to block plan escalation
- Series generation: reserve usage up front and refund on failure; bill the
  owning org, not the caller's active org
- Injection defenses: HTML-escape user fields in emails, strip CR/LF from
  subject/recipient, validate ElevenLabs voiceId before URL interpolation
- Media routes: stream off disk instead of buffering whole files; rate-limit
  anonymous public audio/cover endpoints by client IP
This commit is contained in:
Leon Serfaty
2026-06-20 20:59:03 -04:00
parent cd1d6a1a28
commit 51c541ad22
21 changed files with 489 additions and 152 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/auth/auth.ts
+17 -9
View File
@@ -9,10 +9,19 @@ const appUrl = process.env.NEXT_PUBLIC_APP_URL || "http://localhost:3000";
const googleConfigured = !!(process.env.GOOGLE_CLIENT_ID && process.env.GOOGLE_CLIENT_SECRET);
// Fail fast in production if the signing secret is missing — sessions/cookies are
// only secure when BETTER_AUTH_SECRET is set. Stay frictionless in dev/test.
if (!process.env.BETTER_AUTH_SECRET && process.env.NODE_ENV === "production") {
throw new Error("BETTER_AUTH_SECRET must be set in production.");
// Fail fast in production if the signing secret is missing, too short, or a known
// placeholder — sessions/cookies are only secure when BETTER_AUTH_SECRET is a strong,
// non-default value. Stay frictionless in dev/test.
const KNOWN_WEAK_SECRETS = new Set([
"dev-secret-please-change-0123456789abcdef",
]);
const authSecret = process.env.BETTER_AUTH_SECRET;
const secretIsWeak =
!authSecret || authSecret.length < 32 || KNOWN_WEAK_SECRETS.has(authSecret);
if (secretIsWeak && process.env.NODE_ENV === "production") {
throw new Error(
"BETTER_AUTH_SECRET must be set in production to a strong value (>= 32 chars, not a known placeholder)."
);
}
export const auth = betterAuth({
@@ -27,11 +36,10 @@ export const auth = betterAuth({
emailAndPassword: {
enabled: true,
// SECURITY GATE (currently OPEN): unverified emails can sign in. Flip this to
// `true` once email delivery is confirmed working in prod. Left `false` for now
// so existing dev accounts aren't locked out. Verification emails ARE sent on
// signup (see emailVerification.sendOnSignUp below), so users can verify already.
requireEmailVerification: false,
// SECURITY GATE: unverified emails CANNOT sign in. Verification emails are sent
// on signup (see emailVerification.sendOnSignUp below), so users can verify before
// their first login.
requireEmailVerification: true,
minPasswordLength: 8,
async sendResetPassword({ user, url }) {
await sendEmail({