Improve security by removing fallback secret from bot webhook
Remove hardcoded fallback secret from Discord bot webhook endpoint and enforce environment variable. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 9203795e-937a-4306-b81d-b4d5c78c240e Replit-Commit-Checkpoint-Type: intermediate_checkpoint Replit-Commit-Event-Id: ae4568da-c4e0-465b-a931-10365c02b678 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/7c94b7a0-29c7-4f2e-94ef-44b2153872b7/9203795e-937a-4306-b81d-b4d5c78c240e/j2GzDqZ Replit-Helium-Checkpoint-Created: true
This commit is contained in:
sirpiglr
parent
e100c4eff1
commit
3312263460
1 changed files with 8 additions and 4 deletions
|
|
@ -1642,10 +1642,14 @@ export function createServer() {
|
||||||
app.post("/api/discord/verify-callback", async (req, res) => {
|
app.post("/api/discord/verify-callback", async (req, res) => {
|
||||||
const { discord_id, user_id, success, bot_secret } = req.body || {};
|
const { discord_id, user_id, success, bot_secret } = req.body || {};
|
||||||
|
|
||||||
// Simple secret validation (bot sends shared secret)
|
// Require environment secret - no fallback for security
|
||||||
const expectedSecret = process.env.DISCORD_BOT_WEBHOOK_SECRET || "aethex_bot_webhook_2025";
|
const expectedSecret = process.env.DISCORD_BOT_WEBHOOK_SECRET;
|
||||||
if (bot_secret !== expectedSecret) {
|
if (!expectedSecret) {
|
||||||
console.warn("[Discord Callback] Invalid bot secret provided");
|
console.error("[Discord Callback] DISCORD_BOT_WEBHOOK_SECRET not configured");
|
||||||
|
return res.status(503).json({ error: "Service not configured" });
|
||||||
|
}
|
||||||
|
if (!bot_secret || bot_secret !== expectedSecret) {
|
||||||
|
console.warn("[Discord Callback] Invalid or missing bot secret");
|
||||||
return res.status(403).json({ error: "Invalid authorization" });
|
return res.status(403).json({ error: "Invalid authorization" });
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue