VALYU_CLIENT_SECRET used with non-null assertion — crash when absent #35
Description
- Context: Cloud
- Category: Vulnerability (Denial of Service / Information Disclosure)
- Severity: Medium
Evidence
// app/api/oauth/token/route.ts
const clientId = process.env.NEXT_PUBLIC_VALYU_CLIENT_ID!;
const clientSecret = process.env.VALYU_CLIENT_SECRET!;
const basicAuth = Buffer.from(`${clientId}:${clientSecret}`).toString('base64');The ! non-null assertion suppresses TypeScript errors but provides no runtime safety. If VALYU_CLIENT_SECRET is absent (e.g., in self-hosted mode, or due to a misconfigured deployment), the value is undefined, and the Buffer.from("clientId:undefined") call succeeds silently — producing a malformed but non-empty Authorization: Basic header. This is then forwarded to the auth server, which may return a descriptive error that is relayed back to the client as details: errorData.
Affected files: app/api/oauth/token/route.ts