From e90518a629d47d7ab250cfdd7771857cb58a2ed1 Mon Sep 17 00:00:00 2001
From: Sergei <sergei@Sergeis-MacBook-Pro.local>
Date: Mon, 26 Jan 2026 16:42:30 -0800
Subject: [PATCH] fix(security): add JWT_SECRET validation at startup
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Server now validates that JWT_SECRET environment variable exists
and has at least 32 characters before starting. This prevents
the server from running with weak or missing JWT secrets.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 backend/src/index.js | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/backend/src/index.js b/backend/src/index.js
index 1df12b7..f2e4b83 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -1,4 +1,12 @@
 require('dotenv').config();
+
+// ============ SECURITY VALIDATION ============
+// Validate JWT_SECRET at startup
+if (!process.env.JWT_SECRET || process.env.JWT_SECRET.length < 32) {
+  console.error('JWT_SECRET must be at least 32 characters!');
+  process.exit(1);
+}
+
 const express = require('express');
 const cors = require('cors');
 const helmet = require('helmet');