From 040d6625dfd635424047a113edef18bd71729106 Mon Sep 17 00:00:00 2001
From: Philip Okugbe <16838612+Philipinho@users.noreply.github.com>
Date: Thu, 6 Feb 2025 17:46:32 +0000
Subject: [PATCH] fix: enforce 32-character minimum length for APP_SECRET
 (#702)

* Enforce 32 characters minimum APP_SECRET length

* update APP_SECRET comment
---
 .env.example                                                    | 2 +-
 .../src/integrations/environment/environment.validation.ts      | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.env.example b/.env.example
index 6d24e2b0..1ac9a3fc 100644
--- a/.env.example
+++ b/.env.example
@@ -2,7 +2,7 @@
 APP_URL=http://localhost:3000
 PORT=3000
 
-# make sure to replace this.
+# minimum of 32 characters. Generate one with: openssl rand -hex 32
 APP_SECRET=REPLACE_WITH_LONG_SECRET
 
 JWT_TOKEN_EXPIRES_IN=30d
diff --git a/apps/server/src/integrations/environment/environment.validation.ts b/apps/server/src/integrations/environment/environment.validation.ts
index cba438e6..fd0b33e7 100644
--- a/apps/server/src/integrations/environment/environment.validation.ts
+++ b/apps/server/src/integrations/environment/environment.validation.ts
@@ -4,6 +4,7 @@ import {
   IsNotIn,
   IsOptional,
   IsUrl,
+  MinLength,
   validateSync,
 } from 'class-validator';
 import { plainToInstance } from 'class-transformer';
@@ -36,6 +37,7 @@ export class EnvironmentVariables {
   APP_URL: string;
 
   @IsNotEmpty()
+  @MinLength(32)
   @IsNotIn(['REPLACE_WITH_LONG_SECRET'])
   APP_SECRET: string;