comments

aadesh18 · aadesh18 · commit b6c69f33ff72 · 2026-05-15T11:57:07.000-07:00
diff --git a/docker/server/.env b/docker/server/.env
@@ -4,7 +4,6 @@ NEXT_PUBLIC_STACK_DASHBOARD_URL=# https://your-dashboard-domain.com, this will b
 STACK_DATABASE_CONNECTION_STRING=# postgres connection string
 
 STACK_SERVER_SECRET=# a 32 bytes base64url encoded random string, used for JWT encryption. can be generated with `pnpm generate-keys`
-STACK_SERVER_SECRET_OLD=# set to the previous STACK_SERVER_SECRET during a rotation. Accepted for verification only. Remove after the grace window.
 
 # seed script settings
 STACK_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=# true to enable user sign up to the dashboard when seeding
diff --git a/docker/server/.env.example b/docker/server/.env.example
@@ -5,9 +5,7 @@ NEXT_PUBLIC_STACK_DASHBOARD_URL=http://localhost:8101
 
 STACK_DATABASE_CONNECTION_STRING=postgres://postgres:password@host.docker.internal:8128/stackframe
 
-STACK_SERVER_SECRET=_q4Ujch47RpWiydX_FJZDH6gKm1q5z1Ve6y8hfqWpks
-# Remove after the grace window
-STACK_SERVER_SECRET_OLD=23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo
+STACK_SERVER_SECRET=23-wuNpik0gIW4mruTz25rbIvhuuvZFrLOLtL7J4tyo
 
 STACK_SEED_INTERNAL_PROJECT_ALLOW_LOCALHOST=true
 STACK_SEED_INTERNAL_PROJECT_SIGN_UP_ENABLED=true
diff --git a/packages/stack-shared/src/utils/jwt.test.ts b/packages/stack-shared/src/utils/jwt.test.ts
@@ -23,8 +23,8 @@ async function buildOidcCookieKeys(): Promise<string[]> {
 }
 
 // Steady state (not mid-rotation): primary is set, `_OLD` is unset. This is the code
-// path a deployment is in between rotations — exercises the early-return `""` branch in
-// `getOldStackServerSecret` and the falsy short-circuit in `getPrivateJwks`.
+// path a deployment is in between rotations — exercises the early-return `null` branch in
+// `getOldStackServerSecret` and the null-check short-circuit in `getPrivateJwks`.
 function setSteadyStateEnv(secret: string) {
   process.env.STACK_SERVER_SECRET = secret;
   delete process.env.STACK_SERVER_SECRET_OLD;
diff --git a/packages/stack-shared/src/utils/jwt.tsx b/packages/stack-shared/src/utils/jwt.tsx
@@ -21,15 +21,15 @@ function getStackServerSecret() {
 }
 
 /**
- * Returns the previous `STACK_SERVER_SECRET`
+ * Returns the previous `STACK_SERVER_SECRET` during a rotation, or `null` if none is set.
  *
  * When set, keys derived from this secret are accepted for verification (JWTs and OIDC cookies)
  * but never used for signing new artifacts. Remove the env var once the grace window has
  * elapsed — see the self-host rotation runbook.
  */
-export function getOldStackServerSecret(): string {
-  const STACK_SERVER_SECRET_OLD = getEnvVariable("STACK_SERVER_SECRET_OLD", "");
-  if (!STACK_SERVER_SECRET_OLD) return "";
+export function getOldStackServerSecret(): string | null {
+  const STACK_SERVER_SECRET_OLD = process.env.STACK_SERVER_SECRET_OLD;
+  if (!STACK_SERVER_SECRET_OLD) return null;
   try {
     jose.base64url.decode(STACK_SERVER_SECRET_OLD);
   } catch (e) {
@@ -147,7 +147,7 @@ export async function getPrivateJwks(options: {
   const primarySecret = getStackServerSecret();
   const oldSecret = getOldStackServerSecret();
   const primaryPair = await derivePairForSecret(primarySecret);
-  const oldPair = oldSecret && oldSecret !== primarySecret ? await derivePairForSecret(oldSecret) : [];
+  const oldPair = oldSecret !== null && oldSecret !== primarySecret ? await derivePairForSecret(oldSecret) : [];
 
   // Signing uses index 0 (primary secret, legacy derivation). Verify accepts all entries.
   return [...primaryPair, ...oldPair];
