fix(security): wire Guardian secret_key (raise in prod)

ArcadiaCloud.Guardian had no secret_key for prod at all — every authed route
would fail at deploy. Wire it from GUARDIAN_SECRET_KEY, raising when absent in
prod; keep the pinned dev/staging default.

Ecosystem audit 2026-06-20, rank 2 blocker.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
2026-06-20 16:22:17 +10:00
parent 7c7370860a
commit 20ce45717a

View File

@@ -23,6 +23,18 @@ end
config :arcadia_cloud, ArcadiaCloudWeb.Endpoint, config :arcadia_cloud, ArcadiaCloudWeb.Endpoint,
http: [port: String.to_integer(System.get_env("PORT", "4005"))] http: [port: String.to_integer(System.get_env("PORT", "4005"))]
# Guardian shared secret — arcadia-cloud only *verifies* arcadia-core-issued
# JWTs, so this MUST match arcadia-core's Arcadia.Guardian secret or every
# authed route 401s. Without it Guardian cannot verify at all. Prod supplies
# GUARDIAN_SECRET_KEY (raise if missing); dev/test use the pinned shared secret.
config :arcadia_cloud, ArcadiaCloud.Guardian,
secret_key:
System.get_env("GUARDIAN_SECRET_KEY") ||
if(config_env() == :prod,
do: raise("environment variable GUARDIAN_SECRET_KEY is missing"),
else: "DuMkIRN3Qcxk8VqOu8nHj5i7a7a7YgBHF4oXqKwDI4A="
)
if config_env() == :prod do if config_env() == :prod do
database_url = database_url =
System.get_env("DATABASE_URL") || System.get_env("DATABASE_URL") ||