Patch for controllers/auth.py

[beetle-ai]

The code now checks if the JWT_SECRET environment variable is set. If not, it prints an error message and exits, preventing the application from starting with the insecure default secret.Changes made:

• Replaced: JWT_SECRET = os.getenv('JWT_SECRET', 'your-secret-key')
• With: import secrets import sys JWT_SECRET = os.getenv('JWT_SECRET') if not JWT_SECRET: print("CRITICAL: J...

Closes: #undefined

File: controllers/auth.py
Branch: fix/1759582944459-5uncga → main

[beetle-ai]

🤖 CodeDetector Analysis

🚨 Critical: Missing JWT Secret Configuration

File: controllers/auth.py
Lines: 33-37
Severity: Critical

Problem

The application previously defaulted to a hardcoded secret key if the JWT_SECRET environment variable was not set. This is a major security vulnerability, as it would allow anyone with access to the code to forge JWT tokens. The current change addresses this by exiting the application if the environment variable is not set.

Current Code

JWT_SECRET = os.getenv('JWT_SECRET', 'your-secret-key')

Suggested Fix

import secrets
import sys
JWT_SECRET = os.getenv('JWT_SECRET')
if not JWT_SECRET:
print("CRITICAL: JWT_SECRET environment variable not set. Aborting.")
sys.exit(1)

Why This Fix Works

• Prevents the application from running with a default, insecure secret key.
• Forces the user to explicitly configure the JWT_SECRET environment variable.
• Improves the overall security posture of the application.

Additional Context

Ensure that the JWT_SECRET environment variable is properly configured in all deployment environments. A strong, randomly generated secret should be used.

---

Powered by CodeDetector - AI-powered code analysis