🛡️ Sentinel: [CRITICAL] Fix hardcoded admin credentials

[seonghobae]

🚨 Severity: CRITICAL
💡 Vulnerability: Hardcoded ADMIN_USERNAME and ADMIN_PASSWORD were discovered in packages/web/src/lib/server/admin-auth.ts.
🎯 Impact: Anyone with read access to the repository could discover the administrator credentials, leading to a full authentication bypass and unauthorized administrative access. Furthermore, hardcoded credentials cannot be easily rotated or managed per-environment.
🔧 Fix:

• Added ADMIN_USERNAME and ADMIN_PASSWORD to the Zod environment schema in packages/web/src/lib/server/env.ts to ensure they are required at runtime.
• Replaced the hardcoded strings in admin-auth.ts with references to env.ADMIN_USERNAME and env.ADMIN_PASSWORD, preserving the existing export const API contract.
• Updated packages/web/.env.example and .github/workflows/ci.yml to include the new required environment variables to prevent CI/CD regressions.
• Logged the security learning in .jules/sentinel.md.
  ✅ Verification:
• Run pnpm run build and pnpm lint.
• Verify the CI pipeline passes.
• Try to start the server without setting ADMIN_USERNAME and ADMIN_PASSWORD—it should fail to start.

---

PR created automatically by Jules for task 2027270219903167306 started by @seonghobae

[google-labs-jules]

👋 Jules, reporting for duty! I'm here to lend a hand with this pull request.

When you start a review, I'll add a 👀 emoji to each comment to let you know I've read it. I'll focus on feedback directed at me and will do my best to stay out of conversations between you and other bots or reviewers to keep the noise down.

I'll push a commit with your requested changes shortly after. Please note there might be a delay between these steps, but rest assured I'm on the job!

For more direct control, you can switch me to Reactive Mode. When this mode is on, I will only act on comments where you specifically mention me with @jules. You can find this option in the Pull Request section of your global Jules UI settings. You can always switch back!

New to Jules? Learn more at jules.google/docs.

---

For security, I will only act on instructions from the user who triggered this task.

[coderabbitai]

📝 Walkthrough

Summary by CodeRabbit

• 보안 개선

  • 관리자 자격증명이 더 이상 하드코딩되지 않고 환경 변수로 구성됩니다.
  • 관리자 비밀번호는 최소 8자 이상이어야 하며 런타임에서 검증됩니다.
  • 환경 설정 예제에 관리자 자격증명 템플릿이 추가되었습니다.

• 신뢰성 개선

  • 관리자 로그인 검증 흐름이 비동기 처리로 변경되어 인증 처리의 안전성과 일관성이 향상됩니다.

• CI

  • 빌드 워크플로우에 관리자 자격증명 플레이스홀더가 포함되었습니다.

Walkthrough

관리자 계정 정보를 환경변수로 이동하고 Zod 검증을 추가했으며, PBKDF2 기반 비밀번호 검증으로 로그인 흐름을 비동기화하고 .env.example 및 CI에 플레이스홀더를 추가했습니다.

변경 사항

관리자 자격증명 환경 변수화

Layer / File(s)	Summary
환경 변수 검증 스키마 packages/web/src/lib/server/env.ts	서버 환경 변수 스키마에 ADMIN_USERNAME (trim 후 최소 1자) 및 ADMIN_PASSWORD (trim 후 최소 8자)를 필수로 추가하여 런타임에서 검증합니다.
관리자 인증 구현 업데이트 및 해시 검증 packages/web/src/lib/server/admin-auth.ts	관리자 자격증명을 env에서 읽도록 변경하고 PBKDF2 해시 파라미터와 모듈 초기의 TARGET_PASSWORD_HASH를 도입했습니다. verifyAdminCredentials는 입력 비밀번호를 비동기 pbkdf2로 해시한 뒤 timingSafeEqual로 비교하도록 동작과 시그니처가 변경되었습니다.
로그인 라우트 통합 packages/web/src/app/api/admin/login/route.ts	관리자 로그인 POST 핸들러에서 verifyAdminCredentials 호출을 await 하도록 변경해 비동기 검증을 사용합니다.
환경 설정 및 CI 워크플로우 packages/web/.env.example, .github/workflows/ci.yml	.env.example에 ADMIN_USERNAME/ADMIN_PASSWORD 템플릿을 추가했고, CI의 argos/web build 단계 env에 플레이스홀더를 설정했습니다.
보안 개선 문서화 .jules/sentinel.md	하드코딩된 관리자 자격증명 취약점과 환경변수 전환 및 검증 적용을 기록한 센티넬 항목을 추가했습니다.

Sequence Diagram(s):

sequenceDiagram
  participant Client as 클라이언트
  participant API as POST /api/admin/login
  participant Auth as admin-auth (verifyAdminCredentials)
  Client->>API: 로그인 요청 (username, password)
  API->>Auth: await verifyAdminCredentials({username, password})
  Auth->>Auth: pbkdf2Async(input password) -> 해시 비교(timingSafeEqual) against TARGET_PASSWORD_HASH
  Auth-->>API: 검증 결과 (true/false)
  API-->>Client: 200 + 세션 쿠키 또는 401

Loading

예상 코드 리뷰 노력

🎯 3 (Moderate) | ⏱️ ~20 minutes

시

🐰 환경변수에 숨긴 당근 한 쌈,
PBKDF2로 비밀번호도 감싸네,
Zod가 지키니 런타임도 든든,
CI와 예제엔 플레이스홀더 척척,
토끼가 축하하노라, 튼튼한 보안!

---

Caution

Pre-merge checks failed

Please resolve all errors before merging. Addressing warnings is optional.

• Ignore

❌ Failed checks (1 error)

Check name	Status	Explanation	Resolution
Docstring Coverage	❌ Error	Docstring coverage is 0.00% which is insufficient. The required threshold is 100.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	제목은 PR의 주요 변경사항인 하드코딩된 관리자 자격증명 제거라는 핵심을 명확하게 요약하고 있습니다.
Description check	✅ Passed	설명은 하드코딩된 관리자 자격증명 문제, 영향도, 해결 방법, 검증 방법을 포함하여 변경사항과 충분히 관련이 있습니다.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch sentinel-fix-hardcoded-admin-credentials-2027270219903167306

✨ Simplify code

• Create PR with simplified code
• Commit simplified code in branch sentinel-fix-hardcoded-admin-credentials-2027270219903167306

Warning

Billing warning: we have not been able to collect payment for this subscription for more than 72 hours. Please update the payment method or pay any pending invoices in Billing to avoid service interruption.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.jules/sentinel.md:
- Line 2: Update the sentinel entry heading that currently reads "## 2024-05-24
- [CRITICAL] Fix Hardcoded Admin Credentials in Authentication Logic" so the
date reflects the actual PR creation/fix date (change 2024-05-24 to 2026-06-07);
locate and edit the header line in .jules/sentinel.md (the "## ... - [CRITICAL]
Fix Hardcoded Admin Credentials in Authentication Logic" line) to use the
corrected date.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f5d1fddb-993c-456b-a712-dfd0d04a92ea

📥 Commits

Reviewing files that changed from the base of the PR and between cdf4ce8 and 35e4a20.

📒 Files selected for processing (5)

• .github/workflows/ci.yml
• .jules/sentinel.md
• packages/web/.env.example
• packages/web/src/lib/server/admin-auth.ts
• packages/web/src/lib/server/env.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

센티넬 기록의 날짜를 수정하세요.

문서에 기록된 날짜가 2024-05-24이지만 이 PR은 2026-06-07에 생성되었습니다. 센티넬 기록의 날짜는 실제 수정이 이루어진 날짜를 정확하게 반영해야 합니다.

📝 날짜 수정 제안

-## 2024-05-24 - [CRITICAL] Fix Hardcoded Admin Credentials in Authentication Logic
+## 2026-06-07 - [CRITICAL] Fix Hardcoded Admin Credentials in Authentication Logic

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	## 2024-05-24 - [CRITICAL] Fix Hardcoded Admin Credentials in Authentication Logic
	## 2026-06-07 - [CRITICAL] Fix Hardcoded Admin Credentials in Authentication Logic

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.jules/sentinel.md at line 2, Update the sentinel entry heading that
currently reads "## 2024-05-24 - [CRITICAL] Fix Hardcoded Admin Credentials in
Authentication Logic" so the date reflects the actual PR creation/fix date
(change 2024-05-24 to 2026-06-07); locate and edit the header line in
.jules/sentinel.md (the "## ... - [CRITICAL] Fix Hardcoded Admin Credentials in
Authentication Logic" line) to use the corrected date.

[coderabbitai]

Actionable comments posted: 2

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/web/src/lib/server/admin-auth.ts (1)

10-11: ⚠️ Potential issue | 🟡 Minor

ADMIN_PASSWORD 외부 내보내기(export) 제거 요청 (admin-auth.ts 10-11)

ADMIN_PASSWORD는 TARGET_PASSWORD_HASH를 계산하는 데만 필요하며, 현재 export const ADMIN_PASSWORD로 평문 비밀번호를 모듈 인터페이스에 노출하고 있습니다. ADMIN_PASSWORD를 다른 파일에서 named import로 사용하는 흔적도 없어 const로 비내보내는 게 안전합니다.

🔒 평문 비밀번호 노출 제거

-export const ADMIN_USERNAME = env.ADMIN_USERNAME
-export const ADMIN_PASSWORD = env.ADMIN_PASSWORD
+export const ADMIN_USERNAME = env.ADMIN_USERNAME
+const ADMIN_PASSWORD = env.ADMIN_PASSWORD

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/lib/server/admin-auth.ts` around lines 10 - 11,
ADMIN_PASSWORD is currently exported but only needed internally to compute
TARGET_PASSWORD_HASH; change export const ADMIN_PASSWORD to a non-exported const
(remove export) and keep export for ADMIN_USERNAME only; update any internal
uses in this module to reference the new local const and ensure no other modules
import ADMIN_PASSWORD (remove or refactor those imports if present) so the
plaintext password is not exposed from admin-auth.ts.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/web/src/lib/server/admin-auth.ts`:
- Around line 49-62: Always run the PBKDF2 hashing regardless of the username
match to avoid timing leakage: call pbkdf2Async(...) unconditionally, compute
passwordMatch = timingSafeEqual(inputPasswordHash, TARGET_PASSWORD_HASH),
compute usernameMatch = safeEqual(input.username, ADMIN_USERNAME), then return
usernameMatch && passwordMatch (ensure inputPasswordHash is computed before
those comparisons). Reference pbkdf2Async, timingSafeEqual, safeEqual,
ADMIN_USERNAME, TARGET_PASSWORD_HASH, and the HASH_* constants when making the
change.
- Around line 20-24: Replace the hardcoded HASH_SALT in admin-auth.ts with an
environment-driven salt: add an ADMIN_PASSWORD_SALT (or
ADMIN_PASSWORD_HASH+ADMIN_PASSWORD_SALT) to the app env module (e.g., export it
from packages/web/src/lib/server/env.ts) and update the code paths that
reference HASH_SALT to read the salt from that env variable; if you choose to
store ADMIN_PASSWORD_HASH instead of plain ADMIN_PASSWORD, adapt the
authentication routines (the PBKDF2/verify logic in admin-auth.ts that uses
HASH_ITERATIONS, HASH_KEYLEN, HASH_DIGEST) to compare against the provided hash
and use the env salt, and ensure a clear runtime error is thrown when the
required env variables are missing.

---

Outside diff comments:
In `@packages/web/src/lib/server/admin-auth.ts`:
- Around line 10-11: ADMIN_PASSWORD is currently exported but only needed
internally to compute TARGET_PASSWORD_HASH; change export const ADMIN_PASSWORD
to a non-exported const (remove export) and keep export for ADMIN_USERNAME only;
update any internal uses in this module to reference the new local const and
ensure no other modules import ADMIN_PASSWORD (remove or refactor those imports
if present) so the plaintext password is not exposed from admin-auth.ts.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 357ab05c-bbf0-4bfd-b40f-d192c154695f

📥 Commits

Reviewing files that changed from the base of the PR and between 35e4a20 and 35294a4.

📒 Files selected for processing (2)

• packages/web/src/app/api/admin/login/route.ts
• packages/web/src/lib/server/admin-auth.ts

[coderabbitai]

⚠️ Potential issue | 🟠 Major | 🏗️ Heavy lift

정적 솔트 사용은 보안 모범 사례 위반

HASH_SALT가 소스 코드에 하드코딩되어 있습니다. 공격자가 소스 코드에 접근하면 이 솔트로 레인보우 테이블을 사전 계산할 수 있습니다.

권장 해결책:

• ADMIN_PASSWORD_SALT 환경변수를 추가하고 배포 시 랜덤 생성된 값 사용
• 또는 ADMIN_PASSWORD 대신 이미 해시된 ADMIN_PASSWORD_HASH와 솔트를 환경변수로 저장

단일 관리자 계정에 100k iterations를 사용하므로 즉각적인 위협은 아니지만, 보안 심층 방어 측면에서 개선이 필요합니다.

🛡️ 환경변수 기반 솔트 사용 제안

packages/web/src/lib/server/env.ts에 추가:

 const EnvSchema = z.object({
   DATABASE_URL: z.string().min(1),
   DIRECT_URL: z.string().min(1),
   JWT_SECRET: z.string().min(32),
   ADMIN_USERNAME: z.string().trim().min(1),
   ADMIN_PASSWORD: z.string().trim().min(8),
+  ADMIN_PASSWORD_SALT: z.string().min(16),
 })

admin-auth.ts 수정:

-const HASH_SALT = 'argos_admin_salt'
+const HASH_SALT = env.ADMIN_PASSWORD_SALT

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/lib/server/admin-auth.ts` around lines 20 - 24, Replace the
hardcoded HASH_SALT in admin-auth.ts with an environment-driven salt: add an
ADMIN_PASSWORD_SALT (or ADMIN_PASSWORD_HASH+ADMIN_PASSWORD_SALT) to the app env
module (e.g., export it from packages/web/src/lib/server/env.ts) and update the
code paths that reference HASH_SALT to read the salt from that env variable; if
you choose to store ADMIN_PASSWORD_HASH instead of plain ADMIN_PASSWORD, adapt
the authentication routines (the PBKDF2/verify logic in admin-auth.ts that uses
HASH_ITERATIONS, HASH_KEYLEN, HASH_DIGEST) to compare against the provided hash
and use the env salt, and ensure a clear runtime error is thrown when the
required env variables are missing.

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

타이밍 오라클을 통한 사용자명 열거 가능성

사용자명 불일치 시 즉시 반환하고(Line 49-51), 비밀번호 검증은 PBKDF2 해시 계산 후 수행됩니다. 이 시간 차이(~수백ms)로 공격자가 유효한 사용자명을 열거할 수 있습니다.

단일 관리자 계정 시스템에서는 위험도가 낮지만, 완전한 상수 시간 검증을 위해 사용자명과 관계없이 항상 PBKDF2를 수행하는 것이 좋습니다.

⏱️ 상수 시간 검증 제안

 export async function verifyAdminCredentials(input: {
   username: string
   password: string
 }): Promise<boolean> {
-  if (!safeEqual(input.username, ADMIN_USERNAME)) {
-    return false
-  }
-
   // Hash the incoming password asynchronously to avoid blocking the event loop
   const inputPasswordHash = await pbkdf2Async(
     input.password,
     HASH_SALT,
     HASH_ITERATIONS,
     HASH_KEYLEN,
     HASH_DIGEST
   )
 
-  return timingSafeEqual(inputPasswordHash, TARGET_PASSWORD_HASH)
+  const usernameMatch = safeEqual(input.username, ADMIN_USERNAME)
+  const passwordMatch = timingSafeEqual(inputPasswordHash, TARGET_PASSWORD_HASH)
+  return usernameMatch && passwordMatch
 }

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if (!safeEqual(input.username, ADMIN_USERNAME)) {
	return false
	}
	// Hash the incoming password asynchronously to avoid blocking the event loop
	const inputPasswordHash = await pbkdf2Async(
	input.password,
	HASH_SALT,
	HASH_ITERATIONS,
	HASH_KEYLEN,
	HASH_DIGEST
	)
	return timingSafeEqual(inputPasswordHash, TARGET_PASSWORD_HASH)
	// Hash the incoming password asynchronously to avoid blocking the event loop
	const inputPasswordHash = await pbkdf2Async(
	input.password,
	HASH_SALT,
	HASH_ITERATIONS,
	HASH_KEYLEN,
	HASH_DIGEST
	)
	const usernameMatch = safeEqual(input.username, ADMIN_USERNAME)
	const passwordMatch = timingSafeEqual(inputPasswordHash, TARGET_PASSWORD_HASH)
	return usernameMatch && passwordMatch

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/web/src/lib/server/admin-auth.ts` around lines 49 - 62, Always run
the PBKDF2 hashing regardless of the username match to avoid timing leakage:
call pbkdf2Async(...) unconditionally, compute passwordMatch =
timingSafeEqual(inputPasswordHash, TARGET_PASSWORD_HASH), compute usernameMatch
= safeEqual(input.username, ADMIN_USERNAME), then return usernameMatch &&
passwordMatch (ensure inputPasswordHash is computed before those comparisons).
Reference pbkdf2Async, timingSafeEqual, safeEqual, ADMIN_USERNAME,
TARGET_PASSWORD_HASH, and the HASH_* constants when making the change.

[seonghobae]

최신 upstream/main 기준으로 이 PR은 82개 파일의 stale diff를 포함합니다. 특히 .claude agent/skill 파일 삭제와 오래된 워크플로우/lockfile/env 변경이 섞여 있어 그대로 유지하거나 upstream에 올리면 이미 반영된 변경을 되돌릴 위험이 큽니다.

현재 큐는 upstream #30 → upstream #21 순서로 정리 중입니다. 이 PR의 아이디어가 여전히 필요하면 최신 upstream/main에서 단일 목적 브랜치로 깨끗하게 다시 추출하겠습니다. stale PR로 닫습니다.

[google-labs-jules]

최신 upstream/main 기준으로 이 PR은 82개 파일의 stale diff를 포함합니다. 특히 .claude agent/skill 파일 삭제와 오래된 워크플로우/lockfile/env 변경이 섞여 있어 그대로 유지하거나 upstream에 올리면 이미 반영된 변경을 되돌릴 위험이 큽니다.

현재 큐는 upstream #30 → upstream #21 순서로 정리 중입니다. 이 PR의 아이디어가 여전히 필요하면 최신 upstream/main에서 단일 목적 브랜치로 깨끗하게 다시 추출하겠습니다. stale PR로 닫습니다.

Understood. Acknowledging that this work is now obsolete and stopping work on this task.