From 20ce45717a2a5811d725f79d781f02ce78c09149 Mon Sep 17 00:00:00 2001 From: Giuliano Silvestro Date: Sat, 20 Jun 2026 16:22:17 +1000 Subject: [PATCH] fix(security): wire Guardian secret_key (raise in prod) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ArcadiaCloud.Guardian had no secret_key for prod at all — every authed route would fail at deploy. Wire it from GUARDIAN_SECRET_KEY, raising when absent in prod; keep the pinned dev/staging default. Ecosystem audit 2026-06-20, rank 2 blocker. Co-Authored-By: Claude Opus 4.8 (1M context) --- config/runtime.exs | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/config/runtime.exs b/config/runtime.exs index b79d93e..f4908b1 100644 --- a/config/runtime.exs +++ b/config/runtime.exs @@ -23,6 +23,18 @@ end config :arcadia_cloud, ArcadiaCloudWeb.Endpoint, http: [port: String.to_integer(System.get_env("PORT", "4005"))] +# Guardian shared secret — arcadia-cloud only *verifies* arcadia-core-issued +# JWTs, so this MUST match arcadia-core's Arcadia.Guardian secret or every +# authed route 401s. Without it Guardian cannot verify at all. Prod supplies +# GUARDIAN_SECRET_KEY (raise if missing); dev/test use the pinned shared secret. +config :arcadia_cloud, ArcadiaCloud.Guardian, + secret_key: + System.get_env("GUARDIAN_SECRET_KEY") || + if(config_env() == :prod, + do: raise("environment variable GUARDIAN_SECRET_KEY is missing"), + else: "DuMkIRN3Qcxk8VqOu8nHj5i7a7a7YgBHF4oXqKwDI4A=" + ) + if config_env() == :prod do database_url = System.get_env("DATABASE_URL") ||