diff --git a/.env.example b/.env.example index b1cab5a5..8ec9d57e 100644 --- a/.env.example +++ b/.env.example @@ -1,3 +1,4 @@ DATABASE_URL=postgres://paperclip:paperclip@localhost:5432/paperclip PORT=3100 SERVE_UI=false +BETTER_AUTH_SECRET=paperclip-dev-secret diff --git a/server/src/auth/better-auth.ts b/server/src/auth/better-auth.ts index d338eeb8..881c3072 100644 --- a/server/src/auth/better-auth.ts +++ b/server/src/auth/better-auth.ts @@ -67,7 +67,13 @@ export function deriveAuthTrustedOrigins(config: Config): string[] { export function createBetterAuthInstance(db: Db, config: Config, trustedOrigins?: string[]): BetterAuthInstance { const baseUrl = config.authBaseUrlMode === "explicit" ? config.authPublicBaseUrl : undefined; - const secret = process.env.BETTER_AUTH_SECRET ?? process.env.PAPERCLIP_AGENT_JWT_SECRET ?? "paperclip-dev-secret"; + const secret = process.env.BETTER_AUTH_SECRET ?? process.env.PAPERCLIP_AGENT_JWT_SECRET; + if (!secret) { + throw new Error( + "BETTER_AUTH_SECRET (or PAPERCLIP_AGENT_JWT_SECRET) must be set. " + + "For local development, set BETTER_AUTH_SECRET=paperclip-dev-secret in your .env file.", + ); + } const effectiveTrustedOrigins = trustedOrigins ?? deriveAuthTrustedOrigins(config); const publicUrl = process.env.PAPERCLIP_PUBLIC_URL ?? baseUrl; diff --git a/server/src/index.ts b/server/src/index.ts index a384342f..955aaa16 100644 --- a/server/src/index.ts +++ b/server/src/index.ts @@ -475,13 +475,6 @@ export async function startServer(): Promise { resolveBetterAuthSession, resolveBetterAuthSessionFromHeaders, } = await import("./auth/better-auth.js"); - const betterAuthSecret = - process.env.BETTER_AUTH_SECRET?.trim() ?? process.env.PAPERCLIP_AGENT_JWT_SECRET?.trim(); - if (!betterAuthSecret) { - throw new Error( - "authenticated mode requires BETTER_AUTH_SECRET (or PAPERCLIP_AGENT_JWT_SECRET) to be set", - ); - } const derivedTrustedOrigins = deriveAuthTrustedOrigins(config); const envTrustedOrigins = (process.env.BETTER_AUTH_TRUSTED_ORIGINS ?? "") .split(",")