module-level-env-reads-with-dev-fallback-bypass-runtime-config
cube_client.py read CUBEJS_API_SECRET at import time with a hardcoded dev fallback string. Module-level reads don’t respect runtime env changes and the dev fallback (a publicly known default) would be used in production if the env var wasn’t set. Refactored to a lazy _cube_api_secret() function that raises on empty secret and refuses to sign with the dev key when RDASH_ENV=production.
Related
- docker
- alembic-ini-hardcoded-db-url-triggers-secret-scanner
- rdash-env-var-naming-drift-breaks-prod-boot
- secret-scanner-flags-test-passwords-use-labeled-constants
- salesforce
- pydantic-prod-safety-validator-rejects-dev-defaults-at-boot
- module-level-env-reads-bypass-runtime-env-in-python
- pydantic-model-validator-prod-safety-gate-pattern
- env-var-naming-drift-causes-silent-dev-defaults
- python-module-level-env-read-bypasses-prod-safety
- cube-js-jwt-dev-fallback-key-is-publicly-known
- cube-client-module-level-secret-read-breaks-prod
- cube-client-module-level-import-dev-fallback-dangerous