feat: security and auditing

api/src/app/plugins/auth.ts

@@ -23,13 +23,34 @@ declare module "@fastify/jwt" {
   }
 }
 
+const getJwtSecret = (): string => {
+  const secret = process.env.JWT_SECRET;
+  if (!secret) {
+    throw new Error("JWT_SECRET environment variable is required");
+  }
+  return secret;
+};
+
 const authPlugin: FastifyPluginAsync = async (app) => {
+  const jwtSecret = getJwtSecret();
+
+  // Register cookie plugin with signing secret
+  app.register(fastifyCookie, {
+    secret: jwtSecret,
+  });
+
   // Register JWT plugin
   app.register(fastifyJwt, {
-    secret: process.env.JWT_SECRET || "your-secret-key",
+    secret: jwtSecret,
+    sign: {
+      algorithm: "HS256",
+    },
+    verify: {
+      algorithms: ["HS256"],
+    },
     cookie: {
       cookieName: "auth-token",
-      signed: false,
+      signed: true,
     },
     formatUser: (payload: { sub: string; email?: string; username: string; isAdmin: boolean }) => {
       return {
@@ -41,9 +62,6 @@ const authPlugin: FastifyPluginAsync = async (app) => {
     },
   });
 
-  // Register cookie plugin
-  app.register(fastifyCookie);
-
   // Register Discord OAuth2
   app.register(fastifyOauth2, {
     name: "oauth2Discord",