ISSUE_NUMBER: GH-2
Description
The JWT_SECRET is read from the environment variable JWT_SECRET, but a default value 'your-secret-key' is provided. This is a potential security risk because if the environment variable is not set, the application will use a weak secret key.
File: repositories/jobflowapi/controllers/auth.py
Line: 34
Severity: critical
Current Behavior
The application uses a weak default JWT secret if the JWT_SECRET environment variable is not set.
Expected Behavior
The application should either:
- Raise an exception and refuse to start if the
JWT_SECRET environment variable is not set.
- Generate a strong, random secret key at startup if the environment variable is not set.
Suggested Fix
Remove the default value for JWT_SECRET and raise an exception if the environment variable is not set.
Code Context
JWT_SECRET = os.getenv('JWT_SECRET', 'your-secret-key')Additional Notes
This is a critical security vulnerability that could allow attackers to forge JWT tokens.
ISSUE_NUMBER: GH-2
Description
The
JWT_SECRETis read from the environment variableJWT_SECRET, but a default value'your-secret-key'is provided. This is a potential security risk because if the environment variable is not set, the application will use a weak secret key.File:
repositories/jobflowapi/controllers/auth.pyLine: 34
Severity: critical
Current Behavior
The application uses a weak default JWT secret if the
JWT_SECRETenvironment variable is not set.Expected Behavior
The application should either:
JWT_SECRETenvironment variable is not set.Suggested Fix
Remove the default value for
JWT_SECRETand raise an exception if the environment variable is not set.Code Context
Additional Notes
This is a critical security vulnerability that could allow attackers to forge JWT tokens.