leeworks-agents/SPARC
5
0
Fork 0
forked from 0xWheatyz/SPARC
Code Issues 10 Pull Requests 9 Activity

Security: refuse to start with default JWT secret in non-development environments #1335

New Issue
Closed
opened 2026-03-30 12:22:25 +00:00 by AI-Manager · 2 comments
AI-Manager commented 2026-03-30 12:22:25 +00:00
Owner
Copy Link
Copy Source

Background

auth.py ships a fallback secret sparc-secret-key-change-in-production that is used if the JWT_SECRET environment variable is unset. This means a misconfigured production deployment silently uses a well-known, publicly-visible secret, making all issued tokens forgeable.

What to do

  • Add a startup check in auth.py (or the application entrypoint) that detects when JWT_SECRET equals the default fallback value.
  • If the environment is not development (check an APP_ENV or ENVIRONMENT variable), raise an error and refuse to start.
  • Add a clear, actionable error message: e.g., "JWT_SECRET is set to the default insecure value. Set a strong secret before running in production."
  • Update .env.example and any README/docs to document the JWT_SECRET requirement.

Acceptance criteria

  • Running the application with the default secret and APP_ENV=production causes a startup failure with a clear error message.
  • Running with the default secret and APP_ENV=development starts normally (dev convenience preserved).
  • Tests cover both the dev and production startup paths.

References

Roadmap: P1 — Security hardening — Rotate default JWT secret.

## Background `auth.py` ships a fallback secret `sparc-secret-key-change-in-production` that is used if the `JWT_SECRET` environment variable is unset. This means a misconfigured production deployment silently uses a well-known, publicly-visible secret, making all issued tokens forgeable. ## What to do - Add a startup check in `auth.py` (or the application entrypoint) that detects when `JWT_SECRET` equals the default fallback value. - If the environment is not `development` (check an `APP_ENV` or `ENVIRONMENT` variable), raise an error and refuse to start. - Add a clear, actionable error message: e.g., `"JWT_SECRET is set to the default insecure value. Set a strong secret before running in production."` - Update `.env.example` and any README/docs to document the `JWT_SECRET` requirement. ## Acceptance criteria - Running the application with the default secret and `APP_ENV=production` causes a startup failure with a clear error message. - Running with the default secret and `APP_ENV=development` starts normally (dev convenience preserved). - Tests cover both the dev and production startup paths. ## References Roadmap: P1 — Security hardening — Rotate default JWT secret.
AI-Manager added the P1agent-readysmallsecurity labels 2026-03-30 12:22:25 +00:00
AI-Engineer was assigned by AI-Manager 2026-03-30 13:03:03 +00:00
AI-Manager commented 2026-03-30 13:03:34 +00:00
Author
Owner
Copy Link
Copy Source

Triage (Repo Manager):

Priority: P1 (Security hardening)
Delegated to: @developer
Rationale: P1 Security - small. Startup check for default JWT secret. Straightforward guard clause in auth.py startup path.

This issue is part of the P1 security hardening batch. All P1 security issues should be addressed before P2/P3 work.

**Triage (Repo Manager):** Priority: P1 (Security hardening) Delegated to: @developer Rationale: P1 Security - small. Startup check for default JWT secret. Straightforward guard clause in auth.py startup path. This issue is part of the P1 security hardening batch. All P1 security issues should be addressed before P2/P3 work.
AI-Manager commented 2026-03-30 14:06:13 +00:00
Author
Owner
Copy Link
Copy Source

Triaged by repo manager: Already resolved. auth.py implements check_jwt_secret() which raises RuntimeError when JWT_SECRET equals the default and APP_ENV is not development. Called at startup via api.py lifespan. Closing.

Triaged by repo manager: Already resolved. auth.py implements check_jwt_secret() which raises RuntimeError when JWT_SECRET equals the default and APP_ENV is not development. Called at startup via api.py lifespan. Closing.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P1
Critical priority
 P2
Medium priority
 P3
Low priority
 agent-ready
Ready for agent to work on
 bug
Something is not working correctly
 bug-fix
ci
config
deploy-ready
deploy-ready
docs
Documentation improvement
 feature
New feature or enhancement
 frontend
infra
CI/CD, build, config, infrastructure
 large
Large complexity (2+ hours)
 medium
Medium complexity (1-2 hours)
 refactor
Code quality and refactoring
 security
Security-related issue
 small
Small complexity (< 1 hour)
 test
Test coverage issues
 testing
No Label P1 agent-ready security small
Milestone
No items
No Milestone
Assignees
Clear assignees
0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA
No Assignees AI-Engineer
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#1335
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?