Remove runtime secret placeholder validation that breaks deployments#527
Open
ChristianPavilonis wants to merge 4 commits intomainfrom
Open
Remove runtime secret placeholder validation that breaks deployments#527ChristianPavilonis wants to merge 4 commits intomainfrom
ChristianPavilonis wants to merge 4 commits intomainfrom
Conversation
ChristianPavilonis
requested review from
aram356 and
prk-Jr
and removed request for
aram356
aram356
requested changes
Mar 20, 2026
Collaborator
aram356
left a comment
aram356
left a comment
There was a problem hiding this comment.
@ChristianPavilonis Please resolve conflicts. Thanks
The runtime placeholder checks introduced in #467 reject known placeholder values for synthetic.secret_key and publisher.proxy_secret at startup. The expanded placeholder list and case-insensitive matching now catches deployments that were previously working. Remove the runtime validation, the InsecureDefault error variant, and all associated tests and docs while keeping the existing non-empty validation for secret_key.
ChristianPavilonis
force-pushed
the
revert/secret-validation-changes
branch
from
0778303 to
2e706ad
Compare
aram356
requested changes
Mar 20, 2026
Collaborator
aram356
left a comment
aram356
left a comment
There was a problem hiding this comment.
Summary
Clean removal of the runtime placeholder secret validation that was breaking existing deployments (#526). The deletion is thorough — error variant, constants, methods, tests, docs, and build comments are all removed in lockstep. Non-empty validation for both secrets is preserved.
Blocking
🔧 wrench
- Test asserts placeholder secrets load with no acknowledgement: The replacement
test_get_settingsasserts that embedded placeholder secrets ("trusted-server","change-me-proxy-secret") load successfully without explaining why this is expected. Also uses a redundantassert!(is_ok) + expect()pattern. (settings_data.rs:50-56)
❓ question
- No
log::warn!for placeholder secrets at startup: The PR removes the hard error but adds zero feedback when cryptographic secrets match known defaults. The existingproxy.certificate_checkalready useslog::warn!("INSECURE: ...")for the same class of concern. Was a deliberate decision made to have no runtime warning? A warn-instead-of-error approach would unblock deployments while preserving observability forsecret_key(HMAC-SHA256) andproxy_secret(XChaCha20-Poly1305). (settings_data.rs:37-43)
Non-blocking
🤔 thinking
- Removing all placeholder detection eliminates defense-in-depth for crypto secrets:
proxy_secretis used as a key for XChaCha20-Poly1305 encryption/decryption and HMAC signing.secret_keyfeeds HMAC-SHA256 for synthetic IDs. A known default key means anyone can decrypt proxied URLs or forge IDs. The issue says "team decided this should be a no-fix for now" — valid for unblocking, but worth noting this removes the guardrail entirely rather than softening it.
⛏ nitpick
- Generic test name:
test_get_settings→ considerget_settings_loads_embedded_toml_successfullyto describe what it verifies. (settings_data.rs:50)
CI Status
- fmt: PASS
- clippy: PENDING
- rust tests: PENDING
- js tests: PASS
- docs format: PASS
- ts format: PASS
- Rename test to get_settings_loads_embedded_toml_successfully - Remove redundant assert!(is_ok) pattern, keep only expect() - Add comment explaining why placeholder secrets are expected in tests - Add log::warn! when secret_key or proxy_secret match default placeholders
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
synthetic.secret_keyandpublisher.proxy_secretat startup, breaking previously working deploymentssecret_key— only the expanded placeholder list and case-insensitive matching are removedInsecureDefaulterror variant, all placeholder detection methods, and related documentationChanges
crates/common/src/settings.rsPROXY_SECRET_PLACEHOLDERS,is_placeholder_proxy_secret(),SECRET_KEY_PLACEHOLDERS,is_placeholder_secret_key(),reject_placeholder_secrets(), and 6 associated testscrates/common/src/settings_data.rsreject_placeholder_secrets()call; replace placeholder-rejection tests with smoke test verifying embedded TOML loadscrates/common/src/error.rsInsecureDefault { field: String }variant and itsstatus_codematch armcrates/common/build.rsdocs/guide/configuration.mdCloses
Closes #526
Test plan
cargo test --workspacecargo clippy --all-targets --all-features -- -D warningscargo fmt --all -- --checkcd crates/js/lib && npx vitest runcd crates/js/lib && npm run formatChecklist
unwrap()in production code — useexpect("should ...")tracingmacros (notprintln!)