Skip to content

fix(security): enforce JWT_SECRET as required environment variable#957

Open
anshul23102 wants to merge 1 commit into
imDarshanGK:mainfrom
anshul23102:fix/707-jwt-secret-required
Open

fix(security): enforce JWT_SECRET as required environment variable#957
anshul23102 wants to merge 1 commit into
imDarshanGK:mainfrom
anshul23102:fix/707-jwt-secret-required

Conversation

@anshul23102

@anshul23102 anshul23102 commented Jun 8, 2026

Copy link
Copy Markdown

Summary

This PR fixes the critical JWT secret vulnerability by enforcing JWT_SECRET as a required environment variable. The application now fails fast at startup if JWT_SECRET is not configured, preventing token forgery attacks.

Problem

The backend/app/config.py uses a hardcoded fallback secret when JWT_SECRET environment variable is not set:

jwt_secret = os.getenv('JWT_SECRET', 'change-this-in-production-min-32-bytes')

This well-known default secret can be exploited by attackers to forge valid JWT tokens for any user_id, gaining authenticated access to protected endpoints.

Solution

  1. Added _required_env() helper function in config.py that raises ValueError if an environment variable is not set or empty
  2. Updated jwt_secret configuration to use _required_env('JWT_SECRET') instead of os.getenv() with fallback
  3. Application fails at startup if JWT_SECRET is missing, preventing deployment with insecure defaults
  4. Clear error messages guide operators to set the required variable before starting the application

Changes

  • backend/app/config.py: Added _required_env() helper and updated jwt_secret line

Security Impact

  • Eliminates known default secret vulnerability (CVSS 9.8)
  • Prevents unauthorized authentication in production deployments
  • Forces secure configuration practices from day one

Testing

  • Application startup fails with clear error message when JWT_SECRET is missing
  • Application starts normally when JWT_SECRET is properly configured
  • Existing authentication flows work unchanged with new configuration

Related Issue

Closes #707

This contribution is part of GSSoC 2026. Please consider adding the gssoc-approved label when reviewed.

@anshul23102
fix(security): enforce JWT_SECRET as required environment variable
522f68e 
- Add _required_env() helper function to enforce mandatory configuration
- Update jwt_secret to use _required_env() instead of fallback to default
- Application now fails fast at startup if JWT_SECRET is not set
- Prevents token forgery attacks from known default secrets

Closes imDarshanGK#707
@anshul23102 anshul23102 requested a review from imDarshanGK as a code owner June 8, 2026 12:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imDarshanGK imDarshanGK Awaiting requested review from imDarshanGK imDarshanGK is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][Critical] Default JWT secret allows token forgery when JWT_SECRET env var is unset

1 participant

@anshul23102