Guard against dev-default RENDERER_PASSWORD in production

ihabadham · claude · ihabadham · commit 0eb94af9a3cb · 2026-04-22T07:25:19.000+02:00
The Pro renderer's JS side raises if RENDERER_PASSWORD is unset in
production, but accepts the literal "local-dev-renderer-password"
value. A CP secret misconfigured to that string (easy to happen when
copying from .env.example) would let both sides "match" while running
with no real authentication.

Split the branch by Rails.env.local?:
- dev/test keeps the .presence || default fallback so blank env vars
  still work for local development
- production fetches strict and raises if blank, unset, or the literal
  dev default

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/config/initializers/react_on_rails_pro.rb b/config/initializers/react_on_rails_pro.rb
@@ -12,10 +12,25 @@
 
   config.renderer_url = ENV.fetch("RENDERER_URL", "http://localhost:3800")
 
-  # Must match the password in renderer/node-renderer.js. Use .presence so
-  # a blank value (e.g. the literal `RENDERER_PASSWORD=` that ships in
-  # .env.example) falls back to the dev default. ENV.fetch would leave
-  # Rails with "" while the renderer treats "" as unset via `||`,
-  # producing a silent auth mismatch.
-  config.renderer_password = ENV["RENDERER_PASSWORD"].presence || "local-dev-renderer-password"
+  # Must match the password in renderer/node-renderer.js.
+  #
+  # Dev/test: blank or unset falls back to the dev default, so .env.example's
+  # literal `RENDERER_PASSWORD=` still works. `.presence` matches the JS
+  # side's `||` fallback (which treats "" as falsy).
+  #
+  # Production: raise loudly if blank, unset, or still the dev default. The
+  # Pro renderer's JS side guards against unset in production but accepts
+  # the literal dev-default value. If someone set the CP secret to the
+  # well-known dev password, both sides would "match" but renderer auth
+  # would be effectively disabled. This closes that gap.
+  config.renderer_password =
+    if Rails.env.local?
+      ENV["RENDERER_PASSWORD"].presence || "local-dev-renderer-password"
+    else
+      pw = ENV["RENDERER_PASSWORD"]
+      if pw.blank? || pw == "local-dev-renderer-password"
+        raise "RENDERER_PASSWORD must be set to a non-empty, non-default value in production"
+      end
+      pw
+    end
 end
