Improve security by removing fallback secret from bot webhook

Remove hardcoded fallback secret from Discord bot webhook endpoint and enforce environment variable. Replit-Commit-Author: Agent Replit-Commit-Session-Id: 9203795e-937a-4306-b81d-b4d5c78c240e Replit-Commit-Checkpoint-Type: intermediate_checkpoint Replit-Commit-Event-Id: ae4568da-c4e0-465b-a931-10365c02b678 Replit-Commit-Screenshot-Url: https://storage.googleapis.com/screenshot-production-us-central1/7c94b7a0-29c7-4f2e-94ef-44b2153872b7/9203795e-937a-4306-b81d-b4d5c78c240e/j2GzDqZ Replit-Helium-Checkpoint-Created: true
2025-12-13 10:07:23 +00:00 · 2025-12-13 10:07:23 +00:00 · 3312263460
commit 3312263460
parent e100c4eff1
1 changed files with 8 additions and 4 deletions
--- a/server/index.ts
+++ b/server/index.ts
@ -1642,10 +1642,14 @@ export function createServer() {
    app.post("/api/discord/verify-callback", async (req, res) => {
      const { discord_id, user_id, success, bot_secret } = req.body || {};

-      // Simple secret validation (bot sends shared secret)
-      const expectedSecret = process.env.DISCORD_BOT_WEBHOOK_SECRET || "aethex_bot_webhook_2025";
-      if (bot_secret !== expectedSecret) {
-        console.warn("[Discord Callback] Invalid bot secret provided");
+      // Require environment secret - no fallback for security
+      const expectedSecret = process.env.DISCORD_BOT_WEBHOOK_SECRET;
+      if (!expectedSecret) {
+        console.error("[Discord Callback] DISCORD_BOT_WEBHOOK_SECRET not configured");
+        return res.status(503).json({ error: "Service not configured" });
+      }
+      if (!bot_secret || bot_secret !== expectedSecret) {
+        console.warn("[Discord Callback] Invalid or missing bot secret");
        return res.status(403).json({ error: "Invalid authorization" });
      }