Summary
The server starts without validating that critical environment variables are set. If SMB_ADDRESS or CORS_ORIGIN are missing the application silently falls back to defaults (http://localhost:8080 and an empty/undefined value) which can mask misconfiguration in production.
Note: DB_CONNECTION_STRING is already tracked in #225. This issue covers the two remaining required env vars.
Risk
SMB_ADDRESS missing: all SFU/SMB calls silently target localhost:8080 — works in local dev but silently fails in a production container without the right value.CORS_ORIGIN missing/undefined: the CORS delegator may allow unintended origins on non-WHIP/WHEP routes, potentially enabling cross-origin attacks.
Proposed fix
In src/server.ts (startup), add validation before app.listen():
const REQUIRED_ENV = ['SMB_ADDRESS', 'CORS_ORIGIN'] as const;
for (const key of REQUIRED_ENV) {
if (!process.env[key]) {
console.error(`Missing required environment variable: ${key}`);
process.exit(1);
}
}Priority: MEDIUM (P2)
Related: #225 (DB_CONNECTION_STRING validation)
Summary
The server starts without validating that critical environment variables are set. If
SMB_ADDRESSorCORS_ORIGINare missing the application silently falls back to defaults (http://localhost:8080and an empty/undefined value) which can mask misconfiguration in production.Note:
DB_CONNECTION_STRINGis already tracked in #225. This issue covers the two remaining required env vars.Risk
SMB_ADDRESSmissing: all SFU/SMB calls silently targetlocalhost:8080— works in local dev but silently fails in a production container without the right value.CORS_ORIGINmissing/undefined: the CORS delegator may allow unintended origins on non-WHIP/WHEP routes, potentially enabling cross-origin attacks.Proposed fix
In
src/server.ts(startup), add validation beforeapp.listen():Priority: MEDIUM (P2)
Related: #225 (DB_CONNECTION_STRING validation)