From 99abec97057e83827676826e47c95abbf3094fb5 Mon Sep 17 00:00:00 2001
From: Lesia Soloviova <solovyova.lesya@gmail.com>
Date: Sun, 29 Mar 2026 15:56:36 +0100
Subject: [PATCH] fix(env): use readServerEnv for AUTH_SECRET and CSRF_SECRET
 on Netlify

Switch server secret reads from process.env to readServerEnv() in auth and CSRF modules.
This adds Netlify runtime fallback (Netlify.env.get) and prevents 5xx/502 when process.env is empty.
Fail-closed behavior is preserved if secrets are truly missing.
---
 frontend/lib/auth.ts          | 3 ++-
 frontend/lib/security/csrf.ts | 4 +++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/frontend/lib/auth.ts b/frontend/lib/auth.ts
index c83ec152..751222e8 100644
--- a/frontend/lib/auth.ts
+++ b/frontend/lib/auth.ts
@@ -6,11 +6,12 @@ import { cookies } from 'next/headers';
 
 import { db } from '@/db';
 import { users } from '@/db/schema/users';
+import { readServerEnv } from '@/lib/env/server-env';
 
 const AUTH_COOKIE_NAME = 'auth_session';
 const AUTH_TOKEN_MAX_AGE = 60 * 60 * 24 * 7; // 7 days
 
-const _AUTH_SECRET = process.env.AUTH_SECRET;
+const _AUTH_SECRET = readServerEnv('AUTH_SECRET');
 
 if (!_AUTH_SECRET) {
   throw new Error('AUTH_SECRET is not defined');
diff --git a/frontend/lib/security/csrf.ts b/frontend/lib/security/csrf.ts
index cfb6e481..6346d723 100644
--- a/frontend/lib/security/csrf.ts
+++ b/frontend/lib/security/csrf.ts
@@ -4,11 +4,13 @@ import crypto from 'node:crypto';
 
 import type { NextRequest } from 'next/server';
 
+import { readServerEnv } from '@/lib/env/server-env';
+
 export const CSRF_FORM_FIELD = 'csrfToken' as const;
 
 const DEFAULT_TTL_SECONDS = 60 * 60;
 function getSecret(): string {
-  const secret = process.env.CSRF_SECRET;
+  const secret = readServerEnv('CSRF_SECRET');
   if (!secret) throw new Error('Missing env var: CSRF_SECRET');
   return secret;
 }