fix(env): use readServerEnv for AUTH_SECRET and CSRF_SECRET on Netlify

LesiaUKR · LesiaUKR · commit 99abec97057e · 2026-03-29T15:56:36.000+01:00
Switch server secret reads from process.env to readServerEnv() in auth and CSRF modules.
This adds Netlify runtime fallback (Netlify.env.get) and prevents 5xx/502 when process.env is empty.
Fail-closed behavior is preserved if secrets are truly missing.
diff --git a/frontend/lib/auth.ts b/frontend/lib/auth.ts
@@ -6,11 +6,12 @@ import { cookies } from 'next/headers';
 
 import { db } from '@/db';
 import { users } from '@/db/schema/users';
+import { readServerEnv } from '@/lib/env/server-env';
 
 const AUTH_COOKIE_NAME = 'auth_session';
 const AUTH_TOKEN_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
 
-const _AUTH_SECRET = process.env.AUTH_SECRET;
+const _AUTH_SECRET = readServerEnv('AUTH_SECRET');
 
 if (!_AUTH_SECRET) {
   throw new Error('AUTH_SECRET is not defined');
diff --git a/frontend/lib/security/csrf.ts b/frontend/lib/security/csrf.ts
@@ -4,11 +4,13 @@ import crypto from 'node:crypto';
 
 import type { NextRequest } from 'next/server';
 
+import { readServerEnv } from '@/lib/env/server-env';
+
 export const CSRF_FORM_FIELD = 'csrfToken' as const;
 
 const DEFAULT_TTL_SECONDS = 60 * 60;
 function getSecret(): string {
-  const secret = process.env.CSRF_SECRET;
+  const secret = readServerEnv('CSRF_SECRET');
   if (!secret) throw new Error('Missing env var: CSRF_SECRET');
   return secret;
 }
