c/quicproquo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: tighten production config validation with token length and db path checks

Browse Source
This commit is contained in:
Christian Nennemann
2026-03-04 13:29:50 +01:00
parent a8ed3c4356
commit 3393514911
1 changed files with 17 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
crates/quicproquo-server/src/config.rs
View File

@@ -270,9 +270,26 @@ pub fn validate_production_config(effective: &EffectiveConfig) -> anyhow::Result
"production forbids auth_token 'devtoken'; set a strong QPQ_AUTH_TOKEN" "production forbids auth_token 'devtoken'; set a strong QPQ_AUTH_TOKEN"
); );
} }
if token.len() < 16 {
anyhow::bail!(
"production requires QPQ_AUTH_TOKEN of at least 16 characters (got {})",
token.len()
);
}
if effective.store_backend == "sql" && effective.db_key.is_empty() { if effective.store_backend == "sql" && effective.db_key.is_empty() {
anyhow::bail!("production with store_backend=sql requires non-empty QPQ_DB_KEY"); anyhow::bail!("production with store_backend=sql requires non-empty QPQ_DB_KEY");
} }
if effective.store_backend == "sql" {
let db_dir = effective
.db_path
.parent()
.unwrap_or_else(|| Path::new("."));
// Verify the directory exists and is writable by creating+removing a probe file.
let probe = db_dir.join(".qpq-write-probe");
std::fs::write(&probe, b"probe")
.with_context(|| format!("DB path parent {:?} is not writable", db_dir))?;
let _ = std::fs::remove_file(&probe);
}
if effective.store_backend != "sql" { if effective.store_backend != "sql" {
tracing::warn!( tracing::warn!(
"production is using file-backed storage; \ "production is using file-backed storage; \