[Backend] Startup validation only checks presence of secrets, not their format or length

[grantfox-oss]

Telegram (ask questions / claim the issue here first): https://t.me/+DOylgFv1jyJlNzM0

Why this matters

src/config/env.ts validateEnvVars only checks that required vars are non-empty, so JWT_SECRET, INTERNAL_API_KEY and LOAN_MANAGER_ADMIN_SECRET pass with a single weak character; the admin secret is not even checked to be a valid Stellar secret until first use.

Acceptance criteria

• Enforce a minimum length/entropy for JWT_SECRET and INTERNAL_API_KEY at startup
• Validate LOAN_MANAGER_ADMIN_SECRET parses as a Stellar secret key at startup
• Fail fast with a clear message naming the offending var
• Add tests for the new validation rules

Files to touch

• src/config/env.ts
• src/middleware/auth.ts
• src/services/sorobanService.ts

Out of scope

• Secret rotation tooling
• Vault integration

[AbuJulaybeeb]

Hi Maintainer, I have reviewed the description of the issue and would like to hop on this issue and deliver ETA

[MarvyNwaokobia]

I'd like to work on this issue.

I have experience working with backend configuration validation and authentication systems, and I can implement stronger startup-time checks for environment variables. I'll enforce minimum entropy/length for JWT_SECRET and INTERNAL_API_KEY, validate LOAN_MANAGER_ADMIN_SECRET as a valid Stellar secret key at startup, and ensure the service fails fast with clear error messages when configuration is invalid.

I'll also add tests to cover these validation rules and make sure existing auth and Soroban service flows are not affected.

[grantfox-oss]

🦊 GrantFox — @MarvyNwaokobia has been assigned to this issue as part of the Official Campaign campaign!

Next steps:

1. Open a Pull Request referencing this issue (e.g., Closes #14)
2. Your PR will be reviewed by the LabsCrypt maintainers

Good luck! Track your progress on GrantFox.