ake/paperclip
1
0
Fork 0
mirror of https://github.com/alkimake/paperclip.git synced 2026-06-14 01:50:39 +09:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #3124 from cleanunicorn/fix/better-auth-jwt-secret

Browse source 
fix: remove hardcoded JWT secret fallback from auth init
This commit is contained in:
Dotta 2026-04-08 11:12:31 -05:00 committed by GitHub
commit 642188f900
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 8 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

1
.env.example
View file

@ -1,3 +1,4 @@
DATABASE_URL=postgres://paperclip:paperclip@localhost:5432/paperclip DATABASE_URL=postgres://paperclip:paperclip@localhost:5432/paperclip
PORT=3100 PORT=3100
SERVE_UI=false SERVE_UI=false
BETTER_AUTH_SECRET=paperclip-dev-secret

8
server/src/auth/better-auth.ts
View file

@ -67,7 +67,13 @@ export function deriveAuthTrustedOrigins(config: Config): string[] {
export function createBetterAuthInstance(db: Db, config: Config, trustedOrigins?: string[]): BetterAuthInstance { export function createBetterAuthInstance(db: Db, config: Config, trustedOrigins?: string[]): BetterAuthInstance {
const baseUrl = config.authBaseUrlMode === "explicit" ? config.authPublicBaseUrl : undefined; const baseUrl = config.authBaseUrlMode === "explicit" ? config.authPublicBaseUrl : undefined;
const secret = process.env.BETTER_AUTH_SECRET ?? process.env.PAPERCLIP_AGENT_JWT_SECRET ?? "paperclip-dev-secret"; const secret = process.env.BETTER_AUTH_SECRET ?? process.env.PAPERCLIP_AGENT_JWT_SECRET;
if (!secret) {
throw new Error(
"BETTER_AUTH_SECRET (or PAPERCLIP_AGENT_JWT_SECRET) must be set. " +
"For local development, set BETTER_AUTH_SECRET=paperclip-dev-secret in your .env file.",
);
}
const effectiveTrustedOrigins = trustedOrigins ?? deriveAuthTrustedOrigins(config); const effectiveTrustedOrigins = trustedOrigins ?? deriveAuthTrustedOrigins(config);
const publicUrl = process.env.PAPERCLIP_PUBLIC_URL ?? baseUrl; const publicUrl = process.env.PAPERCLIP_PUBLIC_URL ?? baseUrl;

7
server/src/index.ts
View file

@ -475,13 +475,6 @@ export async function startServer(): Promise<StartedServer> {
resolveBetterAuthSession, resolveBetterAuthSession,
resolveBetterAuthSessionFromHeaders, resolveBetterAuthSessionFromHeaders,
} = await import("./auth/better-auth.js"); } = await import("./auth/better-auth.js");
const betterAuthSecret =
process.env.BETTER_AUTH_SECRET?.trim() ?? process.env.PAPERCLIP_AGENT_JWT_SECRET?.trim();
if (!betterAuthSecret) {
throw new Error(
"authenticated mode requires BETTER_AUTH_SECRET (or PAPERCLIP_AGENT_JWT_SECRET) to be set",
);
}
const derivedTrustedOrigins = deriveAuthTrustedOrigins(config); const derivedTrustedOrigins = deriveAuthTrustedOrigins(config);
const envTrustedOrigins = (process.env.BETTER_AUTH_TRUSTED_ORIGINS ?? "") const envTrustedOrigins = (process.env.BETTER_AUTH_TRUSTED_ORIGINS ?? "")
.split(",") .split(",")