.cursor/rules/kotlin-security.md
This file extends the common security rule with Kotlin-specific content.
val apiKey = System.getenv("API_KEY")
?: throw IllegalStateException("API_KEY not configured")
Always use Exposed's parameterized queries:
// Good: Parameterized via Exposed DSL
UsersTable.selectAll().where { UsersTable.email eq email }
// Bad: String interpolation in raw SQL
exec("SELECT * FROM users WHERE email = '$email'")
Use Ktor's Auth plugin with JWT:
install(Authentication) {
jwt("jwt") {
verifier(
JWT.require(Algorithm.HMAC256(secret))
.withAudience(audience)
.withIssuer(issuer)
.build()
)
validate { credential ->
val payload = credential.payload
if (payload.audience.contains(audience) &&
payload.issuer == issuer &&
payload.subject != null) {
JWTPrincipal(payload)
} else {
null
}
}
}
}
Kotlin's type system prevents null-related vulnerabilities -- avoid !! to maintain this guarantee.