ContextualWisdomLab · seonghobae · May 29, 2026 · May 29, 2026 · May 29, 2026 · May 29, 2026
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -26,3 +26,5 @@ jobs:
           JWT_SECRET: "ci-placeholder-jwt-secret-min-32-chars"
           DATABASE_URL: "postgresql://placeholder:placeholder@localhost:5432/placeholder"
           DIRECT_URL: "postgresql://placeholder:placeholder@localhost:5432/placeholder"
+          ADMIN_USERNAME: "ci-admin"
+          ADMIN_PASSWORD: "ci-admin-password"
diff --git a/.gitignore b/.gitignore
@@ -13,3 +13,4 @@ backups/
 persuasion-data/runs/
 __pycache__/
 *.pyc
+.jules/
diff --git a/packages/web/.env.example b/packages/web/.env.example
@@ -4,3 +4,5 @@ AUTH_SECRET=replace-with-min-32-char-random-string
 DATABASE_URL="postgresql://postgres.[project]:[password]@aws-0-ap-northeast-1.pooler.supabase.com:6543/postgres?pgbouncer=true"
 DIRECT_URL="postgresql://postgres.[project]:[password]@db.uwxfseowdzuuepeeudrx.supabase.co:5432/postgres"
 JWT_SECRET="replace-with-32-char-minimum-random-string"
+ADMIN_USERNAME="admin"
+ADMIN_PASSWORD="replace-with-secure-admin-password"
diff --git a/packages/web/src/lib/server/admin-auth.ts b/packages/web/src/lib/server/admin-auth.ts
@@ -6,18 +6,29 @@ import { NextRequest, NextResponse } from 'next/server'
 
 import { env } from './env'
 
-export const ADMIN_USERNAME = 'admin'
-export const ADMIN_PASSWORD = 'og9oRajx7h88v1RIj3eDgdrh9jgLYVV3'
+export const ADMIN_USERNAME = env.ADMIN_USERNAME
+export const ADMIN_PASSWORD = env.ADMIN_PASSWORD
 
 const ADMIN_SESSION_COOKIE = 'argos_admin_session'
 const ADMIN_SESSION_TTL_MS = 12 * 60 * 60 * 1000
 const ADMIN_IMPERSONATION_TTL_MS = 60 * 1000
 const ADMIN_IMPERSONATION_PREFIX = 'argos_imp'
+const MAX_SAFE_EQUAL_BYTES = 512
 
 function safeEqual(a: string, b: string): boolean {
-  const aHash = createHmac('sha256', env.JWT_SECRET).update(a).digest()
-  const bHash = createHmac('sha256', env.JWT_SECRET).update(b).digest()
-  return timingSafeEqual(aHash, bHash)
+  const aBytes = Buffer.from(a)
+  const bBytes = Buffer.from(b)
+
+  if (aBytes.length > MAX_SAFE_EQUAL_BYTES || bBytes.length > MAX_SAFE_EQUAL_BYTES) {
+    return false
+  }
+
+  const aPadded = Buffer.alloc(MAX_SAFE_EQUAL_BYTES)
+  const bPadded = Buffer.alloc(MAX_SAFE_EQUAL_BYTES)
+  aBytes.copy(aPadded)
+  bBytes.copy(bPadded)
+
+  return timingSafeEqual(aPadded, bPadded) && aBytes.length === bBytes.length
 }
 
 function sign(payload: string): string {

diff --git a/packages/web/src/lib/server/env.ts b/packages/web/src/lib/server/env.ts
@@ -5,6 +5,10 @@ const EnvSchema = z.object({
   DATABASE_URL: z.string().min(1),
   DIRECT_URL: z.string().min(1),
   JWT_SECRET: z.string().min(32),
+  ADMIN_USERNAME: z.string().min(1).max(128).refine((value) => !value.includes('.'), {
+    message: 'ADMIN_USERNAME must not contain "."',
+  }),
+  ADMIN_PASSWORD: z.string().min(16).max(512),
 })
 
 export const env = EnvSchema.parse(process.env)
-Original file line number
+Diff line change
@@ Expand Up / @@ -13,3 +13,4 @@ backups/ @@
     persuasion-data/runs/
     __pycache__/
     *.pyc
+    .jules/