Part of #3848 · severity: medium + low (shared root cause)
Root cause
Production hardening is keyed off the literal NODE_ENV === 'production', but the documented deployment model sets NODE_ENV={projectname}. lib/helpers/config.js:84 already defines the correct predicate (DEV_ENVS = {development, test, local}) — it just isn't applied everywhere. So in a real downstream production deployment the literal gate never matches.
Findings (one fix area)
- medium —
lib/helpers/responses.js:100: if (NODE_ENV !== 'production') result.error = safeStringify(error) leaks the full serialized internal error (field names, codes, mongoose details) to clients in prod. Same defect in the terminal Express error handler (lib/services/express.js).
- low —
config/defaults/production.config.js: api + billingPlans rate limiters silently no-op in downstream prod.
- low — mongoose query
debug: true left enabled in downstream prod.
- low — swagger docs + full spec exposed by default in downstream prod.
Fix
Export a shared predicate from lib/helpers/config.js:
export const isDevEnv = (env = process.env.NODE_ENV ?? 'development') => DEV_ENVS.has(env);
export const isProd = (env = process.env.NODE_ENV ?? 'development') => !DEV_ENVS.has(env);
Apply isProd() everywhere prod hardening is keyed off NODE_ENV: the error responder + terminal handler, swagger expose, mongoose debug, and rate-limiter enablement. Default the production config to secure (swagger off, debug off, limiters enabled).
Created via /dev:issue
Part of #3848 · severity: medium + low (shared root cause)
Root cause
Production hardening is keyed off the literal
NODE_ENV === 'production', but the documented deployment model setsNODE_ENV={projectname}.lib/helpers/config.js:84already defines the correct predicate (DEV_ENVS = {development, test, local}) — it just isn't applied everywhere. So in a real downstream production deployment the literal gate never matches.Findings (one fix area)
lib/helpers/responses.js:100:if (NODE_ENV !== 'production') result.error = safeStringify(error)leaks the full serialized internal error (field names, codes, mongoose details) to clients in prod. Same defect in the terminal Express error handler (lib/services/express.js).config/defaults/production.config.js:api+billingPlansrate limiters silently no-op in downstream prod.debug: trueleft enabled in downstream prod.Fix
Export a shared predicate from
lib/helpers/config.js:Apply
isProd()everywhere prod hardening is keyed offNODE_ENV: the error responder + terminal handler, swaggerexpose, mongoosedebug, and rate-limiter enablement. Default the production config to secure (swagger off, debug off, limiters enabled).Created via /dev:issue