Skip to content

backlog: Security hardening - JWT_SECRET validation and contact privacy #65

New issue
New issue
Open
Open
backlog: Security hardening - JWT_SECRET validation and contact privacy#65
Labels
backlogTechnical debt and low-priority improvements
@jronnomo

Description

@jronnomo
jronnomo
opened on Feb 26, 2026

Problem

Finding IDs: GAP-004, GAP-006 | Research gaps | High | Confidence: 0.88-0.92

Two security concerns identified during review:

  1. Missing JWT_SECRET startup validation (GAP-004): The JWT_SECRET environment variable is not validated at server startup. If the variable is missing or empty, the server starts and runs, but JWT signing and verification will behave incorrectly. The server should fail fast at startup if this required secret is absent.

  2. Contact privacy disclosure missing (GAP-006): The contact list sync feature sends user phone numbers from the device contact list to the backend without explicit user-facing privacy disclosure explaining what data is collected, why, and how it is used. This is a potential privacy compliance issue (GDPR, App Store guidelines).

Files

  • backend/src/index.ts
  • app/(tabs)/friends/index.tsx

Source

App Review 2026-02-26

Metadata

Metadata

Assignees

No one assigned

    Labels

    backlogTechnical debt and low-priority improvements

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions