security hardening

app/services/invoice/signedUrl.ts

@@ -1,9 +1,29 @@
 import crypto from "node:crypto";
 
-const SECRET = process.env.SHOPIFY_API_SECRET || "";
+import { optionalEnv } from "../config/env.server";
+
+/**
+ * Resolves the GiroCode URL signing key lazily (per call, not at module load)
+ * so the process can boot even when only the fallback secret is present.
+ *
+ * Prefers the dedicated `GIROCODE_SIGNING_KEY`; falls back to
+ * `SHOPIFY_API_SECRET` ONLY when the dedicated key is unset, so existing
+ * signed URLs and deployments keep working. Throws if neither is set
+ * (fail closed) — an empty key would make signatures forgeable.
+ */
+function getSigningKey(): string {
+  const key = optionalEnv("GIROCODE_SIGNING_KEY") ?? optionalEnv("SHOPIFY_API_SECRET");
+  if (!key) {
+    throw new Error(
+      "GiroCode signing key missing: set GIROCODE_SIGNING_KEY (preferred) " +
+        "or SHOPIFY_API_SECRET.",
+    );
+  }
+  return key;
+}
 
 function hmac(payload: string): string {
-  return crypto.createHmac("sha256", SECRET).update(payload).digest("hex");
+  return crypto.createHmac("sha256", getSigningKey()).update(payload).digest("hex");
 }
 
 export interface GiroCodeUrlParams {