@vendure/core
Version:
A modern, headless ecommerce framework
38 lines • 1.86 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.checkSuperadminCredentials = checkSuperadminCredentials;
const shared_constants_1 = require("@vendure/common/lib/shared-constants");
const vendure_logger_1 = require("../../../config/logger/vendure-logger");
const REMEDIATION_HINT = 'Set `authOptions.superadminCredentials` in your VendureConfig — typically wired from environment variables, e.g. ' +
'`{ identifier: process.env.SUPERADMIN_USERNAME, password: process.env.SUPERADMIN_PASSWORD }`.';
/**
* @description
* Verifies that the configured `superadminCredentials.password` is not the
* well-known default shipped by `@vendure/common`. Used during bootstrap to
* fail loudly in production environments and warn otherwise.
*
* The default `superadmin` identifier is intentionally allowed — only a
* default password is treated as insecure.
*
* Exported for unit testing — production callers should rely on the default
* `process.env.NODE_ENV` and {@link Logger}.
*/
function checkSuperadminCredentials(credentials, options = {}) {
var _a, _b;
const usingDefaultPassword = credentials.password === shared_constants_1.SUPER_ADMIN_USER_PASSWORD;
if (!usingDefaultPassword) {
return;
}
const nodeEnv = (_a = options.nodeEnv) !== null && _a !== void 0 ? _a : process.env.NODE_ENV;
const message = 'Default superadmin password is configured. This is INSECURE and must not be used in production. ' +
REMEDIATION_HINT;
if (nodeEnv === 'production') {
throw new Error(`[Vendure] Refusing to start: ${message}`);
}
if (nodeEnv === 'test') {
return;
}
const logger = (_b = options.logger) !== null && _b !== void 0 ? _b : vendure_logger_1.Logger;
logger.warn(message);
}
//# sourceMappingURL=check-superadmin-credentials.js.map