flndrn/briven
1
0
Fork 0
Code Issues Pull requests 5 Projects Releases packages.title Wiki Activity actions.actions

fix(security): hardening phase-0 — better-auth secret, audit pepper, IP redaction, realtime WS gate #13

Merged
flndrn-dev merged 4 commits from fix/security-hardening-phase-0 into main 2026-04-27 11:24:31 +02:00
Conversation 0 Commits 4 Files changed 16 +100 -58
flndrn-dev commented 2026-04-27 11:21:23 +02:00 (Migrated from github.com)
Copy link

Summary

Four security hardening fixes audited & ready to land before any deployment past localhost. Each commit is a single, focused change with a tracking ID (C-2/C-3/C-7/H-3) and was verified standalone.

  • C-2 (HIGH)b05a2f1 fix(api): drop hardcoded Better Auth secret fallback — removes the ??'dev-insecure-fallback-change-in-prod' fallback in apps/api/src/lib/auth.ts. Boot-fail on missing secret outside development.
  • C-3 (MED)0f4e57f fix(api): introduce BRIVEN_AUDIT_IP_PEPPER, drop reused 'dev-pepper' — splits the audit-IP pepper out from BRIVEN_BETTER_AUTH_SECRET, removes the public 'dev-pepper' fallback that defeated pseudonymisation if either env was unset. Updates 11 audit-call sites across admin/api-keys/db/deployments/invitations/me/project-env/project-members/projects.
  • C-7 (MED)d64f6f5 fix(api+web): drop raw IP from /v1/me response/v1/me no longer echoes the requester's plaintext IP back to the client (redundant with audit hashing, removes a casual data-exfil channel from a compromised browser).
  • H-3 (HIGH)132d807 fix(realtime): refuse WS upgrade when shared secret unsetapps/realtime now refuses to accept a WS upgrade if BRIVEN_RUNTIME_SHARED_SECRET is not configured, instead of silently accepting any upgrade.

Verification

  • pnpm install --frozen-lockfile: pass
  • pnpm -w typecheck: 15/15 successful
  • pnpm -w build: 11/11 successful
  • pnpm -w test: api/cli/schema all green; the @briven/realtime and @briven/runtime failures are the pre-existing bun-no-tests-found issue (also present on main, fix lives on feat/observability-stack separately) — NOT introduced by this branch.

Test plan

  • CI green
  • Smoke: boot api with no BRIVEN_BETTER_AUTH_SECRET set → fails fast (C-2)
  • Smoke: write an audit row, confirm ipHash derives from BRIVEN_AUDIT_IP_PEPPER (C-3)
  • Smoke: GET /v1/me, confirm response has no raw IP (C-7)
  • Smoke: connect WS to realtime with no shared secret env → 4401/refusal (H-3)

🤖 Generated with Claude Code

## Summary Four security hardening fixes audited & ready to land before any deployment past localhost. Each commit is a single, focused change with a tracking ID (C-2/C-3/C-7/H-3) and was verified standalone. - **C-2 (HIGH)** — `b05a2f1 fix(api): drop hardcoded Better Auth secret fallback` — removes the `??'dev-insecure-fallback-change-in-prod'` fallback in `apps/api/src/lib/auth.ts`. Boot-fail on missing secret outside development. - **C-3 (MED)** — `0f4e57f fix(api): introduce BRIVEN_AUDIT_IP_PEPPER, drop reused 'dev-pepper'` — splits the audit-IP pepper out from `BRIVEN_BETTER_AUTH_SECRET`, removes the public `'dev-pepper'` fallback that defeated pseudonymisation if either env was unset. Updates 11 audit-call sites across admin/api-keys/db/deployments/invitations/me/project-env/project-members/projects. - **C-7 (MED)** — `d64f6f5 fix(api+web): drop raw IP from /v1/me response` — `/v1/me` no longer echoes the requester's plaintext IP back to the client (redundant with audit hashing, removes a casual data-exfil channel from a compromised browser). - **H-3 (HIGH)** — `132d807 fix(realtime): refuse WS upgrade when shared secret unset` — `apps/realtime` now refuses to accept a WS upgrade if `BRIVEN_RUNTIME_SHARED_SECRET` is not configured, instead of silently accepting any upgrade. ## Verification - `pnpm install --frozen-lockfile`: pass - `pnpm -w typecheck`: 15/15 successful - `pnpm -w build`: 11/11 successful - `pnpm -w test`: api/cli/schema all green; the `@briven/realtime` and `@briven/runtime` failures are the pre-existing bun-no-tests-found issue (also present on main, fix lives on `feat/observability-stack` separately) — NOT introduced by this branch. ## Test plan - [ ] CI green - [ ] Smoke: boot api with no `BRIVEN_BETTER_AUTH_SECRET` set → fails fast (C-2) - [ ] Smoke: write an audit row, confirm `ipHash` derives from `BRIVEN_AUDIT_IP_PEPPER` (C-3) - [ ] Smoke: GET /v1/me, confirm response has no raw IP (C-7) - [ ] Smoke: connect WS to realtime with no shared secret env → 4401/refusal (H-3) 🤖 Generated with [Claude Code](https://claude.com/claude-code)
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
bug

Something isn't working

  
dependencies

Pull requests that update a dependency file

  
documentation

Improvements or additions to documentation

  
duplicate

This issue or pull request already exists

  
enhancement

New feature or request

  
github_actions

Pull requests that update GitHub Actions code

  
good first issue

Good for newcomers

  
help wanted

Extra attention is needed

  
invalid

This doesn't seem right

  
javascript

Pull requests that update javascript code

  
question

Further information is requested

  
wontfix

This will not be worked on

No labels
bug
dependencies
documentation
duplicate
enhancement
github_actions
good first issue
help wanted
invalid
javascript
question
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
notification.notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
flndrn/briven!13
No description provided.