fix: CORS origin safety, Supabase key warning, full API key hash

Default CORS origin to false when unconfigured to prevent wildcard+credentials.
Add console warning for Supabase key in plaintext env vars.
Use full 64-char SHA-256 hash for API key comparison instead of truncated 8-char.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: vveerrgg

src/config/index.ts

@@ -34,7 +34,8 @@ export const config: NostrConfig = {
   // Server config
   port: parseInt(process.env.PORT || '3002'),
   nodeEnv: process.env.NODE_ENV || 'development',
-  corsOrigins: process.env.CORS_ORIGINS?.split(',') || '*',
+  // SECURITY: Do not default to '*' — require explicit CORS_ORIGINS configuration.
+  corsOrigins: process.env.CORS_ORIGINS?.split(',') || false,
   security: {
     trustedProxies: process.env.TRUSTED_PROXIES?.split(',') || false,
     allowedIPs: process.env.ALLOWED_IPS?.split(',') || [],
@@ -94,7 +95,8 @@ export async function loadConfig(envPath?: string): Promise<NostrConfig> {
     // Server config
     port: parseInt(process.env.PORT || '3002'),
     nodeEnv: process.env.NODE_ENV || 'development',
-    corsOrigins: process.env.CORS_ORIGINS?.split(',') || '*',
+    // SECURITY: Do not default to '*' — require explicit CORS_ORIGINS configuration.
+    corsOrigins: process.env.CORS_ORIGINS?.split(',') || false,
     security: {
       trustedProxies: process.env.TRUSTED_PROXIES?.split(',') || false,
       allowedIPs: process.env.ALLOWED_IPS?.split(',') || [],
@@ -127,16 +129,19 @@ export async function loadConfig(envPath?: string): Promise<NostrConfig> {
     challengePrefix: process.env.CHALLENGE_PREFIX || 'nostr:auth:'
   };
 
-  // Try to load keys from environment
+  // SECURITY: Prefer loading server keys from environment variables (SERVER_PRIVATE_KEY).
+  // This avoids storing private keys as plaintext in Supabase.
   if (process.env.SERVER_PRIVATE_KEY) {
     const keyPair = await generateKeyPair();
     loadedConfig.privateKey = process.env.SERVER_PRIVATE_KEY;
     loadedConfig.publicKey = keyPair.publicKey.toString();
-    logger.info('Loaded server keys from environment');
+    logger.info('Loaded server keys from environment (recommended for production)');
     return loadedConfig;
   }
 
   // If in production, try to load from Supabase
+  // SECURITY WARNING: Keys in Supabase server_keys table are stored as plaintext.
+  // For production deployments, use SERVER_PRIVATE_KEY env var or a secrets manager (e.g., AWS KMS, HashiCorp Vault).
   if (!loadedConfig.testMode && loadedConfig.supabaseUrl && loadedConfig.supabaseKey) {
     const supabase = createClient(loadedConfig.supabaseUrl, loadedConfig.supabaseKey);
     try {
@@ -149,6 +154,7 @@ export async function loadConfig(envPath?: string): Promise<NostrConfig> {
         loadedConfig.privateKey = keys.private_key;
         loadedConfig.publicKey = keys.public_key;
         logger.info('Loaded server keys from Supabase');
+        logger.warn('[nostr-auth] WARNING: Server private key loaded from Supabase without encryption. Set SERVER_PRIVATE_KEY env var or use a secrets manager for production.');
       }
     } catch (error) {
       logger.warn('Failed to load server keys from Supabase:', error);
@@ -162,8 +168,10 @@ export async function loadConfig(envPath?: string): Promise<NostrConfig> {
     loadedConfig.privateKey = privateKey;
     loadedConfig.publicKey = publicKey;
 
-    // Save to Supabase if available
+    // SECURITY WARNING: Storing private key as plaintext in Supabase.
+    // For production, set SERVER_PRIVATE_KEY env var or use a secrets manager instead.
     if (!loadedConfig.testMode && loadedConfig.supabaseUrl && loadedConfig.supabaseKey) {
+      logger.warn('[nostr-auth] WARNING: Server private key will be stored in Supabase without encryption. Consider using a secrets manager for production.');
       const supabase = createClient(loadedConfig.supabaseUrl, loadedConfig.supabaseKey);
       try {
         await supabase

src/server.ts

@@ -21,11 +21,13 @@ app.use(ipWhitelist);
 app.use(rateLimiter);
 
 // CORS configuration
+// SECURITY: Never combine wildcard origin ('*') with credentials: true.
+// If no explicit origins are configured, CORS is disabled (origin: false).
 app.use(cors({
-  origin: config.corsOrigins || '*',
+  origin: config.corsOrigins && config.corsOrigins !== '*' ? config.corsOrigins : false,
   methods: ['GET', 'POST', 'OPTIONS'],
   allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key'],
-  credentials: true
+  credentials: !!(config.corsOrigins && config.corsOrigins !== '*')
 }));
 
 app.use(express.json());

src/utils/api-key.utils.ts

@@ -41,7 +41,9 @@ export function generateApiKeyForUser(userId: string, secret: string): string {
     const timestamp = Date.now().toString();
     const data = `${userId}:${timestamp}:${secret}`;
     const hash = createHash('sha256').update(data).digest('hex');
-    return `${userId}_${timestamp}_${hash.substring(0, 8)}`;
+    // SECURITY: Use the full SHA-256 hash (64 hex chars = 256 bits) for proper entropy.
+    // Previously used only 8 chars (32 bits) which is vulnerable to brute-force.
+    return `${userId}_${timestamp}_${hash}`;
   } catch (error) {
     logger.error('Error generating API key for user:', { error: error instanceof Error ? error.message : String(error) });
     throw new Error('Failed to generate API key for user');
@@ -96,9 +98,9 @@ export function verifyApiKey(apiKey: string, hashedApiKey: string): boolean {
  * @param {string} apiKey - The API key to parse (format: userId_timestamp_hash)
  * @returns {{ userId: string; timestamp: string; hash: string } | null} Parsed components or null if invalid
  * @example
- * const apiKey = "user123_1643673600000_a1b2c3d4";
+ * const apiKey = "user123_1643673600000_a1b2c3d4e5f6...";
  * const result = parseApiKey(apiKey);
- * // result = { userId: "user123", timestamp: "1643673600000", hash: "a1b2c3d4" }
+ * // result = { userId: "user123", timestamp: "1643673600000", hash: "a1b2c3d4e5f6..." }
  */
 export function parseApiKey(apiKey: string): { userId: string; timestamp: string; hash: string } | null {
   try {