From 69fea95320ae7bca18b381cea4ef39246d95381e Mon Sep 17 00:00:00 2001
From: le king fu <lekingfu@protonmail.com>
Date: Mon, 2 Mar 2026 13:06:16 -0500
Subject: [PATCH] fix: fail-closed auth when HEALTH_TOKEN is not set
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reject all requests if HEALTH_TOKEN env var is undefined instead of
allowing unauthenticated access (fail-open → fail-closed).

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 index.js | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/index.js b/index.js
index a0f0a31..fe2da39 100644
--- a/index.js
+++ b/index.js
@@ -5,6 +5,10 @@ const { execSync } = require("node:child_process");
 const PORT = parseInt(process.env.PORT || "3001", 10);
 const TOKEN = process.env.HEALTH_TOKEN;
 
+if (!TOKEN) {
+  console.warn("WARNING: HEALTH_TOKEN is not set. All requests will be rejected (fail-closed).");
+}
+
 function readProcStat() {
   try {
     const line = execSync("head -1 /proc/stat", { encoding: "utf-8" }).trim();
@@ -84,13 +88,17 @@ const server = http.createServer((req, res) => {
     return;
   }
 
-  if (TOKEN) {
-    const auth = req.headers["authorization"];
-    if (auth !== `Bearer ${TOKEN}`) {
-      res.writeHead(401);
-      res.end(JSON.stringify({ error: "Unauthorized" }));
-      return;
-    }
+  if (!TOKEN) {
+    res.writeHead(401);
+    res.end(JSON.stringify({ error: "HEALTH_TOKEN not configured" }));
+    return;
+  }
+
+  const auth = req.headers["authorization"];
+  if (auth !== `Bearer ${TOKEN}`) {
+    res.writeHead(401);
+    res.end(JSON.stringify({ error: "Unauthorized" }));
+    return;
   }
 
   const data = getHealth();