UNPKG

@vendure/core

Version:

A modern, headless ecommerce framework

38 lines 1.86 kB
"use strict"; Object.defineProperty(exports, "__esModule", { value: true }); exports.checkSuperadminCredentials = checkSuperadminCredentials; const shared_constants_1 = require("@vendure/common/lib/shared-constants"); const vendure_logger_1 = require("../../../config/logger/vendure-logger"); const REMEDIATION_HINT = 'Set `authOptions.superadminCredentials` in your VendureConfig — typically wired from environment variables, e.g. ' + '`{ identifier: process.env.SUPERADMIN_USERNAME, password: process.env.SUPERADMIN_PASSWORD }`.'; /** * @description * Verifies that the configured `superadminCredentials.password` is not the * well-known default shipped by `@vendure/common`. Used during bootstrap to * fail loudly in production environments and warn otherwise. * * The default `superadmin` identifier is intentionally allowed — only a * default password is treated as insecure. * * Exported for unit testing — production callers should rely on the default * `process.env.NODE_ENV` and {@link Logger}. */ function checkSuperadminCredentials(credentials, options = {}) { var _a, _b; const usingDefaultPassword = credentials.password === shared_constants_1.SUPER_ADMIN_USER_PASSWORD; if (!usingDefaultPassword) { return; } const nodeEnv = (_a = options.nodeEnv) !== null && _a !== void 0 ? _a : process.env.NODE_ENV; const message = 'Default superadmin password is configured. This is INSECURE and must not be used in production. ' + REMEDIATION_HINT; if (nodeEnv === 'production') { throw new Error(`[Vendure] Refusing to start: ${message}`); } if (nodeEnv === 'test') { return; } const logger = (_b = options.logger) !== null && _b !== void 0 ? _b : vendure_logger_1.Logger; logger.warn(message); } //# sourceMappingURL=check-superadmin-credentials.js.map