fix: enforce required state secret for OAuth processing

- Added a check to ensure AUTH_GATEWAY_STATE_SECRET or CONFIG_ENCRYPTION_KEY is provided, throwing an error if neither is set.
- Updated the configuration parsing to use a resolved state secret variable for clarity and consistency.

Signed-off-by: Innei <tukon479@gmail.com>

be/apps/oauth-gateway/src/config.ts

@@ -40,10 +40,16 @@ const envSchema = z.object({
   STATE_SECRET: z
     .string()
     .trim()
-    .min(1, { message: 'AUTH_GATEWAY_STATE_SECRET or CONFIG_ENCRYPTION_KEY is required for state decoding.' })
+    .min(1, { message: 'AUTH_GATEWAY_STATE_SECRET or CONFIG_ENCRYPTION_KEY is required for state decoding.' }),
-    .default(process.env.AUTH_GATEWAY_STATE_SECRET ?? process.env.CONFIG_ENCRYPTION_KEY ?? ''),
 })
 
+const resolvedStateSecret = process.env.AUTH_GATEWAY_STATE_SECRET ?? process.env.CONFIG_ENCRYPTION_KEY
+if (!resolvedStateSecret) {
+  throw new Error(
+    '[oauth-gateway] AUTH_GATEWAY_STATE_SECRET (or CONFIG_ENCRYPTION_KEY) is required to decode OAuth state.',
+  )
+}
+
 const parsed = envSchema.parse({
   HOST: process.env.AUTH_GATEWAY_HOST ?? process.env.HOST,
   PORT: process.env.AUTH_GATEWAY_PORT ?? process.env.PORT,
@@ -52,7 +58,7 @@ const parsed = envSchema.parse({
   CALLBACK_BASE_PATH: process.env.AUTH_GATEWAY_CALLBACK_BASE_PATH,
   ALLOW_CUSTOM_HOST: process.env.AUTH_GATEWAY_ALLOW_CUSTOM_HOST,
   ROOT_SLUG: process.env.AUTH_GATEWAY_ROOT_SLUG,
-  STATE_SECRET: process.env.AUTH_GATEWAY_STATE_SECRET ?? process.env.CONFIG_ENCRYPTION_KEY,
+  STATE_SECRET: resolvedStateSecret,
 })
 
 export const gatewayConfig = {