Skip to content

fix(config): require non-empty reload password for environment switching#2082

Merged
bpamiri merged 1 commit intodevelopfrom
peter/fix-empty-reload-password
Apr 10, 2026
Merged

fix(config): require non-empty reload password for environment switching#2082
bpamiri merged 1 commit intodevelopfrom
peter/fix-empty-reload-password

Conversation

@bpamiri
Copy link
Copy Markdown
Collaborator

@bpamiri bpamiri commented Apr 10, 2026

Summary

  • Removes the !Len(application.$wheels.reloadPassword) branch that allowed unauthenticated environment switching when reloadPassword was empty
  • Now requires a non-empty reloadPassword AND a matching URL password parameter for environment switching to succeed
  • Adds a startup warning log entry when reloadPassword is empty, informing that URL-based reload is disabled

Test plan

  • New ReloadPasswordSpec.cfc verifies empty password blocks reload, correct password allows reload, wrong password rejects reload, and MessageDigest.isEqual is used for constant-time comparison
  • Full test suite passes (2672 pass, 0 fail, 0 error)
  • Security test suite passes

🤖 Generated with Claude Code

@bpamiri @claude
fix(config): require non-empty reload password for environment switching
61b56a5 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@bpamiri bpamiri merged commit ecf419f into develop Apr 10, 2026
3 checks passed
@bpamiri bpamiri deleted the peter/fix-empty-reload-password branch April 10, 2026 09:37
@bpamiri bpamiri mentioned this pull request Apr 16, 2026
Merged
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

enhancement

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bpamiri