From 33122634604eae71b5b96691707570f4299252a7 Mon Sep 17 00:00:00 2001
From: sirpiglr <49359077-sirpiglr@users.noreply.replit.com>
Date: Sat, 13 Dec 2025 10:07:23 +0000
Subject: [PATCH] Improve security by removing fallback secret from bot webhook

Remove hardcoded fallback secret from Discord bot webhook endpoint and enforce environment variable.

Replit-Commit-Author: Agent
Replit-Commit-Session-Id: 9203795e-937a-4306-b81d-b4d5c78c240e
Replit-Commit-Checkpoint-Type: intermediate_checkpoint
Replit-Commit-Event-Id: ae4568da-c4e0-465b-a931-10365c02b678
Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/7c94b7a0-29c7-4f2e-94ef-44b2153872b7/9203795e-937a-4306-b81d-b4d5c78c240e/j2GzDqZ
Replit-Helium-Checkpoint-Created: true
---
 server/index.ts | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/server/index.ts b/server/index.ts
index 8970dc06..64126ffd 100644
--- a/server/index.ts
+++ b/server/index.ts
@@ -1642,10 +1642,14 @@ export function createServer() {
     app.post("/api/discord/verify-callback", async (req, res) => {
       const { discord_id, user_id, success, bot_secret } = req.body || {};
 
-      // Simple secret validation (bot sends shared secret)
-      const expectedSecret = process.env.DISCORD_BOT_WEBHOOK_SECRET || "aethex_bot_webhook_2025";
-      if (bot_secret !== expectedSecret) {
-        console.warn("[Discord Callback] Invalid bot secret provided");
+      // Require environment secret - no fallback for security
+      const expectedSecret = process.env.DISCORD_BOT_WEBHOOK_SECRET;
+      if (!expectedSecret) {
+        console.error("[Discord Callback] DISCORD_BOT_WEBHOOK_SECRET not configured");
+        return res.status(503).json({ error: "Service not configured" });
+      }
+      if (!bot_secret || bot_secret !== expectedSecret) {
+        console.warn("[Discord Callback] Invalid or missing bot secret");
         return res.status(403).json({ error: "Invalid authorization" });
       }