MikeWatch Forks of the Mike legal-AI codebase, distilled for legal-tech readers
Home · willchen96/mike · this thread

willchen96 slams shut a forge-your-own-download-link hole

A placeholder secret baked into the public code meant anyone could mint valid document-download links against a misconfigured deployment - now the app refuses to start until that's fixed.

securityinfrastructure

Mike hands out time-limited, signed links so people can download documents securely. The catch: when an operator hadn't configured a signing secret, the code quietly fell back to a hard-coded placeholder. Because Mike's source is public, that placeholder was visible to anyone - which meant a sloppy deployment could have its download links forged at will, handing out access nobody approved.

The team pulled in a community fix that turns this silent gap into a loud one. Instead of limping along on the placeholder, a misconfigured install now fails to start outright, with a message telling the operator exactly what to set. The only new chore is that deployers must provision a real secret before going live - a small price for closing a genuine access-bypass.

So what Anyone running Mike or a fork that serves document downloads should pull this in - it converts a quiet authentication bypass into an unmissable startup error.

View this fork on GitHub →

Spotted something wrong? Or know the PR text has fresher detail than the writeup above?

Commits in this thread

2 commits from willchen96/mike, oldest first. Source extracted verbatim from the harvested git log.

SHA Subject Author Date
eb441409 fix(security): fail fast when download HMAC secret is missing Metbcy 2026-05-03 ↗ GitHub
commit body 
Resolves the issue where getSecret() silently fell back to the literal
string "dev-secret" when neither DOWNLOAD_SIGNING_SECRET nor
SUPABASE_SECRET_KEY was set. Because the codebase is public, that
fallback let anyone forge valid /download/:token signatures against a
mis-configured deployment.

- Throw at first call instead of returning the hardcoded string, with a
  message pointing the operator at `openssl rand -hex 32`.
- Document DOWNLOAD_SIGNING_SECRET in backend/.env.example so deployers
  following the README know to set it (and that it should be distinct
  from SUPABASE_SECRET_KEY).

Closes #7
0ac2744a Merge pull request #21 from Metbcy/fix/download-secret-fail-fast cosimoastrada 2026-05-11 ↗ GitHub 
fix(security): fail fast when download HMAC secret is missing (closes #7)

Capture this thread into my fork

Download a single Markdown prompt that tells Claude how to port every commit above into your working tree — adapting paths and structure to match your repo. Run it via claude -p < capture-thread-576.md from inside the repo you want the changes in.

⬇ Download capture-thread-576.md