Found in PR #77 (fix/68-expiring-download-tokens)
Severity: Major
This PR was branched from main before PR #74 was merged, so it still carries the old getSecret() with the fallback:
function getSecret(): string {
const secret =
process.env.DOWNLOAD_SIGNING_SECRET ??
process.env.SUPABASE_SECRET_KEY; // ← should be removed per #74PR #74 removes this fallback and requires DOWNLOAD_SIGNING_SECRET explicitly. When #77 is merged after #74, this file will either conflict or re-introduce the fallback depending on merge order.
Fix: Base this branch on PR #74's branch (or rebase on main once #74 merges), and update getSecret() to match PR #74's implementation — i.e., throw if DOWNLOAD_SIGNING_SECRET is absent, no SUPABASE_SECRET_KEY fallback.
Found in PR #77 (fix/68-expiring-download-tokens)
Severity: Major
This PR was branched from
mainbefore PR #74 was merged, so it still carries the oldgetSecret()with the fallback:PR #74 removes this fallback and requires
DOWNLOAD_SIGNING_SECRETexplicitly. When #77 is merged after #74, this file will either conflict or re-introduce the fallback depending on merge order.Fix: Base this branch on PR #74's branch (or rebase on main once #74 merges), and update
getSecret()to match PR #74's implementation — i.e., throw ifDOWNLOAD_SIGNING_SECRETis absent, noSUPABASE_SECRET_KEYfallback.