store plaintext secret key in .env, hash at startup

bin/.env

@@ -11,5 +11,5 @@ POSTGRES_USER="postgres"
 POSTGRES_PASSWORD="postgres"
 # TOKEN_LIFETIME in minutes
 TOKEN_LIFETIME=600
-# Secret key for registration (bcrypt hash, client sends plaintext)
-REGISTRATION_SECRET_KEY=$2a$10$mSo1MvV6U7GazfxceLFDl.gBNPm6lnjClWYsFQesx0SalObvBLIF6
+# Secret key for registration (plaintext, hashed with bcrypt at startup)
+REGISTRATION_SECRET_KEY=FtracKer*1405.

bin/routes/auth_routes.dart

@@ -12,8 +12,15 @@ import 'dart:io';
 class AuthRoutes {
   final DatabaseProvider database;
   final Map<String, DateTime> _lastRequest = {};
+  final String _registrationKeyHash;
 
-  AuthRoutes(this.database);
+  AuthRoutes(this.database) : _registrationKeyHash = _loadRegistrationKeyHash();
+
+  static String _loadRegistrationKeyHash() {
+    final dotenv = DotEnv();
+    final key = dotenv['REGISTRATION_SECRET_KEY'] ?? '';
+    return BCrypt.hashpw(key, BCrypt.gensalt());
+  }
 
   Router get routes {
     final router = Router();
@@ -112,10 +119,7 @@ class AuthRoutes {
       return response;
     }
 
-    final envDotenv = DotEnv();
-    final storedHash = envDotenv['REGISTRATION_SECRET_KEY'] ?? '';
-
-    if (!BCrypt.checkpw(secretKey, storedHash)) {
+    if (!BCrypt.checkpw(secretKey, _registrationKeyHash)) {
       stopwatch.stop();
       final response = Response(403, body: jsonEncode({'error': 'Invalid registration key'}), headers: {'Content-Type': 'application/json'});
       logRequest(method: 'POST', url: '/reg', status: 403, duration: stopwatch.elapsed, body: body, responseHeaders: response.headers);