ISSUE_NUMBER: GH-3
Description
The JWT_SECRET environment variable defaults to a hardcoded value of 'your-secret-key' if not explicitly set. This poses a significant security risk, as it allows attackers to easily forge JWT tokens and gain unauthorized access.
File: repositories/jobflowapi/controllers/auth.py
Line: 34
Severity: critical
Current Behavior
The application uses a default JWT secret if the JWT_SECRET environment variable is not set.
Expected Behavior
The application should either:
- Refuse to start if the
JWT_SECRET environment variable is not set.
- Generate a cryptographically secure random secret at startup if one is not provided.
Suggested Fix
- Check if
JWT_SECRET is set. If not, raise an exception or log a critical error and exit.
- Implement a mechanism to generate a random, secure secret at startup if one is not provided via environment variable.
Code Context
JWT_SECRET = os.getenv('JWT_SECRET', 'your-secret-key')Additional Notes
This is a critical security vulnerability that must be addressed immediately.
ISSUE_NUMBER: GH-3
Description
The
JWT_SECRETenvironment variable defaults to a hardcoded value of'your-secret-key'if not explicitly set. This poses a significant security risk, as it allows attackers to easily forge JWT tokens and gain unauthorized access.File:
repositories/jobflowapi/controllers/auth.pyLine: 34
Severity: critical
Current Behavior
The application uses a default JWT secret if the
JWT_SECRETenvironment variable is not set.Expected Behavior
The application should either:
JWT_SECRETenvironment variable is not set.Suggested Fix
JWT_SECRETis set. If not, raise an exception or log a critical error and exit.Code Context
Additional Notes
This is a critical security vulnerability that must be addressed immediately.