✅ #21 fix(security): fail fast when download HMAC secret is missing (closes #7) +14 -4 16d ago by
Metbcy ↗ analysis ↗ GitHub Closes #7.
Metbcy/mike
A near-stock Mike fork from Metbcy, distinguished mainly by a quiet but important security tightening around download links.
This fork sits very close to upstream Mike. There's no rebrand, no new product surface, no visible push into a niche - if you spun it up, you'd encounter something that looks and feels like Mike itself.
The one signal of intent comes from Metbcy closing a download-link forgery hole: when the signing secret isn't configured, the fork now refuses to start rather than falling back to a publicly-known default. It's the kind of change that suggests someone is thinking seriously about running this in front of real users, not just kicking the tyres locally.
Beyond that, there's little to go on. No public bio, no roadmap, no obvious thematic direction yet - just a maintainer who noticed a real security gap and fixed it.
What's in it
- Hardened download-link signing Refuses to boot with a missing or fallback signing secret, closing a hole that would otherwise let anyone mint links to files in the storage bucket.
Direction
securityinfrastructure
Activity
A public-repo fallback secret meant anyone could mint download links for files in the storage bucket - until now.
Threads of work (detailed view)
Metbcy quietly plugs a download-link forgery hole
A public-repo fallback secret meant anyone could mint download links for files in the storage bucket - until now.
Pull requests (detailed view)
✅ Merged (1)
by
Metbcy · opened 24d ago · merged 16d ago