From 82a094f2f2d79842e5d847c8f532c80db4db384c Mon Sep 17 00:00:00 2001
From: posimai <posimai.project@gmail.com>
Date: Fri, 10 Apr 2026 07:55:08 +0900
Subject: [PATCH] fix: refuse to start if JWT_SECRET is not set in environment

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 server.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/server.js b/server.js
index dc5decaf..bd9e32da 100644
--- a/server.js
+++ b/server.js
@@ -83,10 +83,11 @@ function escapeHtml(str) {
 }
 
 // ── Auth: JWT config ────────────────────────────────────────────────
-const JWT_SECRET = process.env.JWT_SECRET || 'dev-secret-CHANGE-IN-PRODUCTION';
 if (!process.env.JWT_SECRET) {
-    console.error('[SECURITY] JWT_SECRET is not set. Using insecure default. Set JWT_SECRET env var in production!');
+    console.error('[SECURITY] JWT_SECRET env var is not set. Refusing to start.');
+    process.exit(1);
 }
+const JWT_SECRET = process.env.JWT_SECRET;
 const JWT_TTL_SECONDS = 30 * 24 * 60 * 60; // 30 days
 
 // WebAuthn relying party config (from env)