security: require secret env vars at startup, remove dev fallbacks

[aspiers]

Summary

• Replace hardcoded 'dev-*-change-me' fallbacks for AUTH_SESSION_SECRET and EPDS_CALLBACK_SECRET with a requireEnv() helper that throws at startup if the variable is missing
• Remove the same fallback in pds-core/src/index.ts for EPDS_CALLBACK_SECRET
• Remove the dead csrfSecret config field and unused _secret parameter in csrfProtection() — the middleware uses crypto.randomBytes and ignores it
• Update all .env.example files with REQUIRED annotations and remove AUTH_CSRF_SECRET

Motivation

If these env vars are not set in production, services previously ran silently with well-known secrets, allowing an attacker to forge session cookies (AUTH_SESSION_SECRET) or HMAC callback signatures (EPDS_CALLBACK_SECRET).

Breaking Change

Services will now refuse to start without AUTH_SESSION_SECRET and EPDS_CALLBACK_SECRET set. Existing deployments that rely on the dev defaults must set these env vars before upgrading.

Generate values with: openssl rand -hex 32

Closes #37

Summary by CodeRabbit

• Bug Fixes

  • Services now enforce required authentication and callback secrets at startup, preventing operation without proper configuration and failing with clear error messages if mandatory environment variables are missing.

• Chores

  • Simplified CSRF secret configuration; updated environment example files to clarify which secrets are mandatory for service startup.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
epds-demo	Ready	Preview, Comment	Mar 26, 2026 9:23pm

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR removes hardcoded development secret fallbacks from the auth service and PDS core, requiring AUTH_SESSION_SECRET and EPDS_CALLBACK_SECRET environment variables at startup. It also eliminates the unused csrfSecret configuration field and its associated parameter throughout the codebase.

Changes

Cohort / File(s)	Summary
Environment Configuration .env.example, packages/auth-service/.env.example, packages/pds-core/.env.example	Added "REQUIRED" annotations to EPDS_CALLBACK_SECRET and AUTH_SESSION_SECRET. Removed unused AUTH_CSRF_SECRET from example files to clarify mandatory secrets.
Type Definitions packages/shared/src/types.ts, packages/auth-service/src/context.ts	Removed csrfSecret: string property from AuthConfig and AuthServiceConfig interfaces, reflecting that the CSRF middleware ignores external secret input.
CSRF Middleware packages/auth-service/src/middleware/csrf.ts	Updated csrfProtection() factory function to accept no parameters instead of unused _secret: string, aligning with internal random token generation.
Startup & Configuration packages/auth-service/src/index.ts, packages/pds-core/src/index.ts	Added requireEnv() helper to enforce presence of required environment variables. Replaced || fallback logic with mandatory environment variable enforcement, causing startup failure if AUTH_SESSION_SECRET or EPDS_CALLBACK_SECRET are missing.
Tests packages/auth-service/src/__tests__/consent.test.ts, packages/auth-service/src/__tests__/csrf.test.ts, packages/shared/src/__tests__/types.test.ts	Removed csrfSecret from mock configurations and test fixtures. Updated CSRF middleware instantiation to use no arguments.

Estimated Code Review Effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐰 Secrets once hardcoded, now they're gone,
No more dev-defaults when config's on.
requireEnv() stands guard at the gate,
Refusing to start if secrets aren't straight!
Safer services, no sneaky fallbacks to see. 🔐

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately describes the primary change: removing hardcoded development fallbacks and requiring environment variables at startup for mandatory secrets.
Linked Issues check	✅ Passed	The changes fully address all objectives from issue #37: replacing hardcoded dev fallbacks with requireEnv() for AUTH_SESSION_SECRET and EPDS_CALLBACK_SECRET, removing unused csrfSecret field, and updating .env.example files.
Out of Scope Changes check	✅ Passed	All changes are directly aligned with issue #37 requirements; no out-of-scope modifications were introduced beyond the specified security improvements.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch remove-dev-secret-fallbacks

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[railway-app]

🚅 Deployed to the ePDS-pr-41 environment in ePDS

Service	Status	Web	Updated (UTC)
@certified-app/demo	✅ Success (View Logs)	Web	Mar 26, 2026 at 9:26 pm
@certified-app/pds-core	✅ Success (View Logs)	Web	Mar 26, 2026 at 9:26 pm
@certified-app/auth-service	✅ Success (View Logs)	Web	Mar 26, 2026 at 9:25 pm

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[coveralls-official]

Pull Request Test Coverage Report for Build 23618738448

Details

• 0 of 8 (0.0%) changed or added relevant lines in 2 files are covered.
• No unchanged relevant lines lost coverage.
• Overall coverage decreased (-0.02%) to 29.56%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
packages/pds-core/src/index.ts	0	3	0.0%
packages/auth-service/src/index.ts	0	5	0.0%

Totals
Change from base Build 23518463989:	-0.02%
Covered Lines:	517
Relevant Lines:	1644

---

💛 - Coveralls

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@packages/auth-service/src/index.ts`:
- Around line 124-133: requireEnv currently accepts whitespace-only values
(e.g., "  ") as valid, so update the function requireEnv to reject values that
are empty after trimming: retrieve process.env[name], check if value is
undefined or value.trim().length === 0, and throw the existing Error if so; keep
the same error message but ensure values consisting only of whitespace are
treated as missing. Use the function name requireEnv to locate and modify the
check.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: efd7433b-d33c-47c0-9248-b6fa2724a6f4

📥 Commits

Reviewing files that changed from the base of the PR and between b9eb33f and 67e41b4.

📒 Files selected for processing (11)

• .env.example
• packages/auth-service/.env.example
• packages/auth-service/src/__tests__/consent.test.ts
• packages/auth-service/src/__tests__/csrf.test.ts
• packages/auth-service/src/context.ts
• packages/auth-service/src/index.ts
• packages/auth-service/src/middleware/csrf.ts
• packages/pds-core/.env.example
• packages/pds-core/src/index.ts
• packages/shared/src/__tests__/types.test.ts
• packages/shared/src/types.ts

💤 Files with no reviewable changes (4)

• packages/auth-service/src/tests/consent.test.ts
• packages/auth-service/src/context.ts
• packages/shared/src/types.ts
• packages/shared/src/tests/types.test.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Reject whitespace-only required env values.

requireEnv() currently treats values like ' ' as valid. That can still boot with an effectively empty secret.

🔧 Proposed fix

 function requireEnv(name: string): string {
-  const value = process.env[name]
+  const value = process.env[name]?.trim()
   if (!value) {
     throw new Error(
       `Missing required environment variable: ${name}. ` +
         `Generate a value with: openssl rand -hex 32`,
     )
   }
   return value
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	function requireEnv(name: string): string {
	const value = process.env[name]
	if (!value) {
	throw new Error(
	`Missing required environment variable: ${name}. ` +
	`Generate a value with: openssl rand -hex 32`,
	)
	}
	return value
	}
	function requireEnv(name: string): string {
	const value = process.env[name]?.trim()
	if (!value) {
	throw new Error(
	`Missing required environment variable: ${name}. ` +
	`Generate a value with: openssl rand -hex 32`,
	)
	}
	return value
	}

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@packages/auth-service/src/index.ts` around lines 124 - 133, requireEnv
currently accepts whitespace-only values (e.g., "  ") as valid, so update the
function requireEnv to reject values that are empty after trimming: retrieve
process.env[name], check if value is undefined or value.trim().length === 0, and
throw the existing Error if so; keep the same error message but ensure values
consisting only of whitespace are treated as missing. Use the function name
requireEnv to locate and modify the check.