Skip to content

ci(deploy): fail the Vercel build if NEON_AUTH_COOKIE_SECRET is missing#66

Merged
RyRy79261 merged 4 commits into
mainfrom
fix/vercel-build-assert-cookie-secret
Jul 5, 2026
Merged

ci(deploy): fail the Vercel build if NEON_AUTH_COOKIE_SECRET is missing#66
RyRy79261 merged 4 commits into
mainfrom
fix/vercel-build-assert-cookie-secret

Conversation

@RyRy79261

@RyRy79261 RyRy79261 commented Jul 4, 2026

Copy link
Copy Markdown
Owner

Why

On 2026-07-05 production returned 500 Internal Server Error on every page and API route (only static files like /icon.svg served). Root cause: NEON_AUTH_COOKIE_SECRET was missing from the Vercel environment.

apps/web/lib/neon-auth.ts throws at module evaluation when that secret is unset in production (the fail-closed guard from 528af3b, so it never HMAC-signs session cookies with the public placeholder). That module is imported at the top of the middleware (apps/web/proxy.ts), so the throw takes down the entire middleware module → every matcher-covered route 500s, while matcher-excluded static assets keep serving. Confirmed from the runtime log:

Error: NEON_AUTH_COOKIE_SECRET must be set to at least 32 chars in production.
    at module evaluation ...
    at Object.<anonymous> (.next/server/middleware.js:4:3)

The immediate outage is already fixed (secret set in Production + Preview, prod redeployed). This PR prevents recurrence.

What

The runtime guard is deliberately suppressed during next build (NEXT_PHASE=phase-production-build), so the build never surfaces the misconfig — the crash only appears once the deployment is live and serving. This adds a build-time assertion in vercel-build.sh, before next build:

  • If NEON_AUTH_COOKIE_SECRET is unset or <32 chars → fail the build with an actionable message.
  • Scoped to VERCEL_ENV = production | preview (the environments that run with NODE_ENV=production at runtime), so it mirrors the runtime guard exactly.

Net effect: a misconfigured deploy fails fast and Vercel keeps serving the last good deployment, instead of shipping a bundle that boots straight into a 500.

Not affected

  • Local / CI next build — no VERCEL_ENV, guard is skipped (these legitimately have no secret).
  • vercel devVERCEL_ENV=development, guard is skipped (NODE_ENV=development, runtime guard doesn't fire either).
  • CI does not invoke vercel-build.sh (only the Vercel vercel-build npm script does).

Testing

Syntax-checked under dash (sh -n) and exercised end-to-end with stubbed next/pnpm across the full matrix:

VERCEL_ENV secret result
production unset exit 1 ✓
production 10 chars exit 1 ✓
production 64 chars exit 0 → build ✓
preview unset exit 1 ✓
(unset) unset exit 0 → build ✓
development unset exit 0 → build ✓

set -u is safe on the unset-secret path (clean exit 1, no unbound-variable error).

https://claude.ai/code/session_01HgjBcWAo4VLxXMf22NPBZx

Summary by CodeRabbit

  • Bug Fixes
    • Added a deployment-time check to prevent production and preview builds from continuing when a required authentication secret is missing or too short.
    • Improved build feedback with a clear error message when configuration is invalid, helping avoid failed or misconfigured releases.

A missing (or <32 char) NEON_AUTH_COOKIE_SECRET makes apps/web/lib/neon-auth.ts
throw at module evaluation. That module is imported at the top of the middleware
(apps/web/proxy.ts), so the whole middleware module fails to load and EVERY
non-static route returns 500 — this took prod fully down on 2026-07-05. The
runtime guard is deliberately suppressed during `next build`
(NEXT_PHASE=phase-production-build), so the build itself never surfaces the
misconfig; the crash only appears once the deployment is live.

Assert the secret (present, >=32 chars) in vercel-build.sh BEFORE `next build`,
scoped to VERCEL_ENV production|preview. A misconfigured deploy now fails fast
and Vercel keeps serving the last good deployment instead of shipping a
boot-time crash. Local/CI `next build` (secret-less by design) and `vercel dev`
(NODE_ENV=development) are unaffected. Verified under dash across the full
env matrix (unset/short/valid secret x prod/preview/unset/development).

Claude-Session: https://claude.ai/code/session_01HgjBcWAo4VLxXMf22NPBZx
@vercel

vercel Bot commented Jul 4, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
ops-board-web Ready Ready Preview, Comment Jul 5, 2026 10:17am

@coderabbitai

coderabbitai Bot commented Jul 4, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2c695c26-1266-460f-a288-a1efb67cf53f

📥 Commits

Reviewing files that changed from the base of the PR and between 4523efc and 68b32e7.

📒 Files selected for processing (1)
  • apps/web/scripts/vercel-build.sh

📝 Walkthrough

Walkthrough

Added a validation guard in the Vercel build script that checks NEON_AUTH_COOKIE_SECRET is set and at least 32 characters long for production and preview environments, failing the build with an error message if the check fails.

Changes

Build Script Validation

Layer / File(s) Summary
Cookie secret guard
apps/web/scripts/vercel-build.sh
Adds an environment-scoped check that fails deployment with exit code 1 when NEON_AUTH_COOKIE_SECRET is unset or under 32 characters for production/preview environments; logs confirmation otherwise.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Poem

A secret too short? Not on my watch,
I hop through the script, guard at the notch. 🐇
Thirty-two chars or the build takes a fall,
Safe little burrow, secured for us all.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: failing Vercel builds when NEON_AUTH_COOKIE_SECRET is absent.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/vercel-build-assert-cookie-secret

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@RyRy79261 RyRy79261 merged commit 20fca1a into main Jul 5, 2026
14 checks passed
@RyRy79261 RyRy79261 deleted the fix/vercel-build-assert-cookie-secret branch July 5, 2026 10:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant