Skip to content

Captcha silently bypassed when RECAPTCHA_SECRET is missing — no NODE_ENV guard #676

Description

@nanaf6203-bit

File: src/auth/auth.service.ts (verifyCaptcha)

Returns true and logs a warning when the secret isn't configured. NODE_ENV is not checked.

Impact: A misconfigured production deploy effectively disables bot protection on /auth/login.

Fix: Only bypass when process.env.NODE_ENV !== 'production'. Throw otherwise.

Metadata

Metadata

Assignees

Labels

Stellar WaveIssues in the Stellar wave programarea/authAuthentication & authorizationbugSomething isn't workingpriority/highHigh prioritysecuritySecurity related

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions