Patch for controllers/auth.py

[beetle-ai]

Removed the default value for JWT_SECRET and raise an exception if the environment variable is not set.Changes made:

• Replaced: JWT_SECRET = os.getenv('JWT_SECRET', 'your-secret-key')
• With: JWT_SECRET = os.getenv('JWT_SECRET') if not JWT_SECRET: raise ValueError("JWT_SECRET environment var...

Closes: #44

File: controllers/auth.py
Branch: fix/1759588154460-3bwzt → main

[beetle-ai]

🤖 CodeDetector Analysis

🚨 Security Improvement: JWT_SECRET Validation

File: controllers/auth.py
Lines: 33-35
Severity: High

Problem

The application relies on the JWT_SECRET environment variable for signing JWT tokens. If this variable is not set, the application could potentially use a default or empty secret, leading to security vulnerabilities.

Current Code

JWT_SECRET = os.getenv('JWT_SECRET', 'your-secret-key')

Suggested Fix

JWT_SECRET = os.getenv('JWT_SECRET')
if not JWT_SECRET:
raise ValueError("JWT_SECRET environment variable must be set")

Why This Fix Works

• Ensures that the JWT_SECRET environment variable is explicitly set.
• Prevents the application from using a default or empty secret, mitigating potential security risks.
• Raises a ValueError if the variable is not set, providing a clear error message and preventing the application from starting with an insecure configuration.

Additional Context

This change is essential for ensuring the security of the application's authentication mechanism. It's important to ensure that the JWT_SECRET environment variable is properly configured in all deployment environments.

---

Powered by CodeDetector - AI-powered code analysis