[Fix] Give Discord its own gateway secret (Telegram-style)#409
Merged
mrubens merged 6 commits intoJul 16, 2026
Conversation
Stop Discord gateway↔API auth from falling back to ENCRYPTION_KEY in production-like environments, wire a dedicated secret into deploy templates/installer, and cover the new contract with tests.
Contributor
Author
|
No new code issues found. See task
Reviewed c83aeaf |
Contributor
Author
|
Addressed the open leadership race in c83aeaf:
No review threads to resolve (feedback lived in the top-level summary checklist). |
Ensure host and deploy-script upgrades mint R_DISCORD_GATEWAY_SECRET when missing, document one-time PaaS secret wiring, and include the secret in manual Production Compose generation steps.
Drop all ENCRYPTION_KEY fallbacks for Discord gateway auth. Mint R_DISCORD_GATEWAY_SECRET on Discord save when missing, resolve it from process env or the deployment vault on API and gateway, and supply a local-development default so pnpm dev still works without vault reuse.
Rewrite comments and ops notes to describe R_DISCORD_GATEWAY_SECRET on its own terms without referring to the removed encryption-key fallback.
Re-check R_DISCORD_GATEWAY_SECRET each credential poll so UI-saved secrets start delivery without a BullMQ restart. Write the local-development default into process.env so API and gateway share it, and restore the operator guidance to keep the gateway secret distinct from ENCRYPTION_KEY.
ensureDeliveryLoop re-checks leadership after awaits and the credential poll exits early once the lease is invalid so a former leader cannot spawn a concurrent forwarder while shutting down.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Related issue
Security hardening from P1 Discord gateway auth review (no public issue link).
Why this PR exists
What changed
Discord gateway↔API auth uses only a dedicated
R_DISCORD_GATEWAY_SECRET.process.envso API and gateway matchENCRYPTION_KEY)Why this change was made
Gateway event injection and secret-at-rest protection should not share a key. A dedicated transport secret is generated when Discord is configured, matching how Telegram already handles its webhook secret.
Impact
How it was tested
Checklist
pnpm lintandpnpm check-typespass locallypnpm changeset