ci(deploy): fail the Vercel build if NEON_AUTH_COOKIE_SECRET is missing#66
Conversation
A missing (or <32 char) NEON_AUTH_COOKIE_SECRET makes apps/web/lib/neon-auth.ts throw at module evaluation. That module is imported at the top of the middleware (apps/web/proxy.ts), so the whole middleware module fails to load and EVERY non-static route returns 500 — this took prod fully down on 2026-07-05. The runtime guard is deliberately suppressed during `next build` (NEXT_PHASE=phase-production-build), so the build itself never surfaces the misconfig; the crash only appears once the deployment is live. Assert the secret (present, >=32 chars) in vercel-build.sh BEFORE `next build`, scoped to VERCEL_ENV production|preview. A misconfigured deploy now fails fast and Vercel keeps serving the last good deployment instead of shipping a boot-time crash. Local/CI `next build` (secret-less by design) and `vercel dev` (NODE_ENV=development) are unaffected. Verified under dash across the full env matrix (unset/short/valid secret x prod/preview/unset/development). Claude-Session: https://claude.ai/code/session_01HgjBcWAo4VLxXMf22NPBZx
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
📝 WalkthroughWalkthroughAdded a validation guard in the Vercel build script that checks NEON_AUTH_COOKIE_SECRET is set and at least 32 characters long for production and preview environments, failing the build with an error message if the check fails. ChangesBuild Script Validation
Estimated code review effort: 1 (Trivial) | ~5 minutes Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Why
On 2026-07-05 production returned
500 Internal Server Erroron every page and API route (only static files like/icon.svgserved). Root cause:NEON_AUTH_COOKIE_SECRETwas missing from the Vercel environment.apps/web/lib/neon-auth.tsthrows at module evaluation when that secret is unset in production (the fail-closed guard from528af3b, so it never HMAC-signs session cookies with the public placeholder). That module is imported at the top of the middleware (apps/web/proxy.ts), so the throw takes down the entire middleware module → every matcher-covered route 500s, while matcher-excluded static assets keep serving. Confirmed from the runtime log:The immediate outage is already fixed (secret set in Production + Preview, prod redeployed). This PR prevents recurrence.
What
The runtime guard is deliberately suppressed during
next build(NEXT_PHASE=phase-production-build), so the build never surfaces the misconfig — the crash only appears once the deployment is live and serving. This adds a build-time assertion invercel-build.sh, beforenext build:NEON_AUTH_COOKIE_SECRETis unset or<32chars → fail the build with an actionable message.VERCEL_ENV=production|preview(the environments that run withNODE_ENV=productionat runtime), so it mirrors the runtime guard exactly.Net effect: a misconfigured deploy fails fast and Vercel keeps serving the last good deployment, instead of shipping a bundle that boots straight into a 500.
Not affected
next build— noVERCEL_ENV, guard is skipped (these legitimately have no secret).vercel dev—VERCEL_ENV=development, guard is skipped (NODE_ENV=development, runtime guard doesn't fire either).vercel-build.sh(only the Vercelvercel-buildnpm script does).Testing
Syntax-checked under
dash(sh -n) and exercised end-to-end with stubbednext/pnpmacross the full matrix:set -uis safe on the unset-secret path (clean exit 1, no unbound-variable error).https://claude.ai/code/session_01HgjBcWAo4VLxXMf22NPBZx
Summary by CodeRabbit