HIGH: SCIM API key default is weak and validation check is dead code

[Senthil455]

Summary

The SCIM API key has a default value of change-scim-api-key-in-production, but the validation check at line 77 is dead code because the default is always a non-empty, truthy string.

Affected File

services/auth-service/index.js:60,77-80

Root Cause

// Line 60 - Default is always a non-empty string
const SCIM_API_KEY = process.env.SCIM_API_KEY || 'change-scim-api-key-in-production';

// Line 77 - This check is NEVER true because of the default
if (!SCIM_API_KEY) {
    console.error('FATAL: SCIM_API_KEY environment variable is required');
    process.exit(1);
}

Since || 'change-scim-api-key-in-production' always provides a non-empty string, the if (!SCIM_API_KEY) check can never be true. The security validation is dead code.

Additionally, the POSTGRES_URL check at line 97 occurs after the pool was already created with the (potentially undefined) value at line 92-95.

Impact

• If SCIM_API_KEY environment variable is not set, the system silently uses change-scim-api-key-in-production
• Any attacker who knows this default can make SCIM API calls
• The fatal validation check provides false confidence
• SCIM operations (user provisioning, group management) are unprotected

Fix Required

Remove the default value so the validation check actually works:

const SCIM_API_KEY = process.env.SCIM_API_KEY;
// If not set, the check at line 77 will catch it and exit

Also move the if (!process.env.POSTGRES_URL) check before pool creation.

[Senthil455]

Fixed in PR #121 - Moved POSTGRES_URL check before new Pool(); SCIM_API_KEY default already removed