()
| 8 | const logger = createLogger('CronAuth') |
| 9 | |
| 10 | const getJwtSecret = () => { |
| 11 | // Prefer a dedicated JWT signing key so the internal-JWT trust domain is |
| 12 | // separable from the raw INTERNAL_API_SECRET shared-bearer secret: leaking one |
| 13 | // shouldn't grant the other (raw secret => call internal endpoints; JWT key => |
| 14 | // mint tokens for arbitrary userIds). Falls back to INTERNAL_API_SECRET when |
| 15 | // unset so existing deployments keep working until the key is rotated in. |
| 16 | const secret = new TextEncoder().encode(env.INTERNAL_JWT_SECRET || env.INTERNAL_API_SECRET) |
| 17 | return secret |
| 18 | } |
| 19 | |
| 20 | /** |
| 21 | * Generate an internal JWT token for server-side API calls |
no outgoing calls
no test coverage detected