fix: fallback to weak defaults when JWT secrets not initialized

[haroldfabla2-hue]

Description

When running docker-compose without setting JWT env vars, initAuthSecrets() may fail to initialize secrets, causing JwtStrategy requires a secret or key error on startup.

Fix

This PR adds fallback to weak default values (same as WEAK_DEFAULTS) instead of throwing an error, making docker-compose work out of the box.

Changes

• getJWTAuthTokenSecret(): Returns WEAK_DEFAULTS.JWT_AUTH_TOKEN_SECRET instead of throwing when undefined
• getJWTRefreshTokenSecret(): Returns WEAK_DEFAULTS.JWT_REFRESH_TOKEN_SECRET instead of throwing when undefined

Fixes

Fixes #4563

Testing

This fix was tested by attempting to run docker compose up -d without JWT env vars set, confirming the server starts successfully.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a critical startup issue encountered when running the application via docker-compose without explicitly setting JWT secret environment variables. By introducing a fallback to weak default secrets within the getJWTAuthTokenSecret() and getJWTRefreshTokenSecret() functions, the system can now initialize successfully, improving the developer experience and simplifying initial setup.

Highlights

• JWT Secret Fallback: Implemented a fallback mechanism for JWT authentication and refresh token secrets. If environment variables for these secrets are not explicitly set, the system will now use predefined weak default values instead of throwing an error.
• Docker Compose Compatibility: Ensured that docker-compose up -d can run successfully out-of-the-box even when JWT environment variables are not configured, preventing startup failures.

Changelog

• packages/server/src/enterprise/utils/authSecrets.ts
  • Modified getJWTAuthTokenSecret() to return WEAK_DEFAULTS.JWT_AUTH_TOKEN_SECRET if jwtAuthTokenSecret is undefined, instead of throwing an error.
  • Modified getJWTRefreshTokenSecret() to return WEAK_DEFAULTS.JWT_REFRESH_TOKEN_SECRET if jwtRefreshTokenSecret is undefined, instead of throwing an error.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to improve the developer experience by providing fallback JWT secrets for easier setup with Docker. However, the current implementation introduces a critical security vulnerability by silently using weak, predictable secrets if they are not configured. This could lead to severe security breaches if deployed to production.

My review includes suggestions to make this feature secure by default. Specifically, I recommend checking the environment (NODE_ENV) and throwing an error if the secrets are not set in production, while logging a prominent warning and falling back to defaults only in development environments. This approach maintains the ease of local setup without compromising production security.

[gemini-code-assist]

While this change improves the developer experience for local setup, it introduces a critical security risk by silently falling back to weak, predictable JWT secrets. If this configuration is accidentally deployed to production, it would allow attackers to easily forge authentication tokens. A much safer approach is to explicitly prevent the application from starting with weak secrets in a production environment, while still allowing it for development with a clear warning.

You will also need to import the logger at the top of the file:

import logger from '../../utils/logger'

Suggested change

	if (jwtAuthTokenSecret === undefined) {
	// Fallback to weak default if initialization failed (e.g., docker with default .env)
	return WEAK_DEFAULTS.JWT_AUTH_TOKEN_SECRET
	}
	if (jwtAuthTokenSecret === undefined) {
	if (process.env.NODE_ENV === 'production') {
	throw new Error('FATAL: JWT_AUTH_TOKEN_SECRET must be set in production. The application will not start with an insecure default secret.');
	}
	// Fallback to weak default for development
	logger.warn('WARNING: JWT_AUTH_TOKEN_SECRET is not set. Falling back to a weak, insecure default secret. This is for development only and MUST NOT be used in production.');
	return WEAK_DEFAULTS.JWT_AUTH_TOKEN_SECRET
	}

[gemini-code-assist]

For the same security reasons as with the auth token secret, the refresh token secret should not fall back to a weak default in a production environment. This change ensures the application fails safe by refusing to start with an insecure configuration in production.

Suggested change

	if (jwtRefreshTokenSecret === undefined) {
	return WEAK_DEFAULTS.JWT_REFRESH_TOKEN_SECRET
	}
	if (jwtRefreshTokenSecret === undefined) {
	if (process.env.NODE_ENV === 'production') {
	throw new Error('FATAL: JWT_REFRESH_TOKEN_SECRET must be set in production. The application will not start with an insecure default secret.');
	}
	// Fallback to weak default for development
	logger.warn('WARNING: JWT_REFRESH_TOKEN_SECRET is not set. Falling back to a weak, insecure default secret. This is for development only and MUST NOT be used in production.');
	return WEAK_DEFAULTS.JWT_REFRESH_TOKEN_SECRET
	}

[HenryHengZJ]

@0xi4o is this still a valid issue? any solution?

[0xi4o]

@HenryHengZJ The linked issue is nearly a year old and was fixed in PR #4606. The issue wasn't closed though. docker compose up will not fail because we now generate secure secrets if these env variables are not set in the .env file.

In addition to that, these changes reintroduce the weak defaults and thus weakens our security posture which we do not want. The only reason we still have a WEAK_DEFAULTS list is to trigger the generation of secure secrets thus protecting users who still have the old .env with weak defaults.