dunkirk.sh / indiko
my own indieAuth provider! indiko.dunkirk.sh/docs
indieauth oauth2-server
6
fork

Configure Feed

Select the types of activity you want to include in your feed.

feat: validate env and add security

Kieran Klukas 0521c9e0 61ceb6df

+65 -1
+65 -1
src/index.ts
··· 57 57 58 58 if (missing.length > 0) { 59 59 console.warn( 60 - `[Startup] Missing required envivonment variables: ${missing.join(", ")}`, 60 + `[Startup] Missing required environment variables: ${missing.join(", ")}`, 61 + ); 62 + process.exit(1); 63 + } 64 + 65 + // Validate ORIGIN is HTTPS in production 66 + const origin = process.env.ORIGIN!; 67 + const rpId = process.env.RP_ID!; 68 + const nodeEnv = process.env.NODE_ENV || "development"; 69 + 70 + if (nodeEnv === "production" && !origin.startsWith("https://")) { 71 + console.error( 72 + `[Startup] ORIGIN must use HTTPS in production (got: ${origin})`, 61 73 ); 62 74 process.exit(1); 63 75 } 76 + 77 + // Validate RP_ID matches ORIGIN domain 78 + try { 79 + const originUrl = new URL(origin); 80 + if (originUrl.hostname !== rpId) { 81 + console.error( 82 + `[Startup] RP_ID must match ORIGIN domain (ORIGIN: ${originUrl.hostname}, RP_ID: ${rpId})`, 83 + ); 84 + process.exit(1); 85 + } 86 + } catch { 87 + console.error(`[Startup] Invalid ORIGIN URL format: ${origin}`); 88 + process.exit(1); 89 + } 90 + 91 + console.log(`[Startup] Environment validated (${nodeEnv} mode)`); 64 92 })(); 65 93 66 94 const server = Bun.serve({ ··· 75 103 "/profile": profileHTML, 76 104 "/docs": docsHTML, 77 105 "/apps": appsHTML, 106 + // Well-known endpoints 107 + "/.well-known/security.txt": () => 108 + new Response( 109 + `# Security Contact Information for Indiko 110 + # See: https://securitytxt.org/ 111 + 112 + Contact: mailto:security@dunkirk.sh 113 + Expires: 2026-12-31T23:59:59.000Z 114 + Preferred-Languages: en 115 + Canonical: ${env.ORIGIN}/.well-known/security.txt 116 + 117 + # Reporting Security Vulnerabilities 118 + # 119 + # If you discover a security vulnerability in Indiko, please report it 120 + # responsibly by emailing security@dunkirk.sh with: 121 + # 122 + # - Description of the vulnerability 123 + # - Steps to reproduce 124 + # - Potential impact assessment 125 + # - Any suggested fixes (optional) 126 + # 127 + # Please do not open public issues for security vulnerabilities. 128 + # You will receive a response within 48 hours. 129 + # 130 + # We appreciate responsible disclosure and will credit researchers 131 + # who report vulnerabilities (unless you prefer to remain anonymous). 132 + 133 + Policy: https://github.com/taciturnaxolotl/indiko/blob/main/SECURITY.md 134 + Acknowledgments: https://github.com/taciturnaxolotl/indiko/blob/main/SECURITY.md#security-audit-history 135 + `, 136 + { 137 + headers: { 138 + "Content-Type": "text/plain; charset=utf-8", 139 + }, 140 + }, 141 + ), 78 142 // API endpoints 79 143 "/api/hello": hello, 80 144 "/api/users": listUsers,