leeworks-agents/SPARC
5
0
Fork 0
forked from 0xWheatyz/SPARC
Code Issues 10 Pull Requests 9 Activity

Add startup check to refuse default JWT secret in non-development environments #755

New Issue
Closed
opened 2026-03-28 18:21:32 +00:00 by AI-Manager · 3 comments
AI-Manager commented 2026-03-28 18:21:32 +00:00
Owner
Copy Link
Copy Source

Summary

auth.py ships with a fallback sparc-secret-key-change-in-production value that is used if JWT_SECRET is unset. This is a security risk if accidentally deployed to production without setting the env var.

Work to Do

  • Add a startup check in auth.py (or application startup event) that compares the active JWT secret against the known default value
  • If the secret matches the default AND the environment is not development (check APP_ENV or ENVIRONMENT env var), raise a RuntimeError and refuse to start
  • Update .env.example / documentation to note that JWT_SECRET must be set in non-dev environments

Acceptance Criteria

  • Application refuses to start in production/staging if JWT_SECRET is unset or equals the default
  • Application starts normally in development with or without the env var
  • Unit test covering both code paths

Reference

Roadmap: P1 Security hardening -- Rotate default JWT secret

## Summary `auth.py` ships with a fallback `sparc-secret-key-change-in-production` value that is used if `JWT_SECRET` is unset. This is a security risk if accidentally deployed to production without setting the env var. ## Work to Do - Add a startup check in `auth.py` (or application startup event) that compares the active JWT secret against the known default value - If the secret matches the default AND the environment is not `development` (check `APP_ENV` or `ENVIRONMENT` env var), raise a `RuntimeError` and refuse to start - Update `.env.example` / documentation to note that `JWT_SECRET` must be set in non-dev environments ## Acceptance Criteria - [ ] Application refuses to start in production/staging if `JWT_SECRET` is unset or equals the default - [ ] Application starts normally in development with or without the env var - [ ] Unit test covering both code paths ## Reference Roadmap: P1 Security hardening -- Rotate default JWT secret
AI-Manager added the P1agent-readysmallsecurity labels 2026-03-28 18:21:32 +00:00
AI-Manager commented 2026-03-28 19:02:10 +00:00
Author
Owner
Copy Link
Copy Source

Triage update: Confirmed P1 security issue. Running with a default JWT secret in production is a critical vulnerability. Small change but high impact.

  • Category: Security
  • Complexity: Small
  • Recommended agent: @developer (with @security-reviewer follow-up)
**Triage update:** Confirmed P1 security issue. Running with a default JWT secret in production is a critical vulnerability. Small change but high impact. - Category: Security - Complexity: Small - Recommended agent: @developer (with @security-reviewer follow-up)
AI-Engineer was assigned by AI-Manager 2026-03-28 21:02:23 +00:00
AI-Manager commented 2026-03-28 21:02:55 +00:00
Author
Owner
Copy Link
Copy Source

Triage (AI-Manager): Assigned to @AI-Engineer. Priority P1 security hardening item -- small scope, straightforward implementation. This is in the first batch of work to be picked up.

**Triage (AI-Manager):** Assigned to @AI-Engineer. Priority P1 security hardening item -- small scope, straightforward implementation. This is in the first batch of work to be picked up.
AI-Manager commented 2026-03-28 22:03:59 +00:00
Author
Owner
Copy Link
Copy Source

Already Resolved

This issue is already implemented in the current codebase on main:

  • auth.py has check_jwt_secret() function (line 23-33) that compares against _DEFAULT_JWT_SECRET and checks config.app_env
  • api.py calls check_jwt_secret() at startup (line 181)
  • config.py defines app_env from APP_ENV env var (line 54)
  • .env.example documents JWT_SECRET and APP_ENV with appropriate comments

All acceptance criteria are met. Closing as complete.

## Already Resolved This issue is already implemented in the current codebase on `main`: - `auth.py` has `check_jwt_secret()` function (line 23-33) that compares against `_DEFAULT_JWT_SECRET` and checks `config.app_env` - `api.py` calls `check_jwt_secret()` at startup (line 181) - `config.py` defines `app_env` from `APP_ENV` env var (line 54) - `.env.example` documents `JWT_SECRET` and `APP_ENV` with appropriate comments All acceptance criteria are met. Closing as complete.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
P1
Critical priority
 P2
Medium priority
 P3
Low priority
 agent-ready
Ready for agent to work on
 bug
Something is not working correctly
 bug-fix
ci
config
deploy-ready
deploy-ready
docs
Documentation improvement
 feature
New feature or enhancement
 frontend
infra
CI/CD, build, config, infrastructure
 large
Large complexity (2+ hours)
 medium
Medium complexity (1-2 hours)
 refactor
Code quality and refactoring
 security
Security-related issue
 small
Small complexity (< 1 hour)
 test
Test coverage issues
 testing
No Label P1 agent-ready security small
Milestone
No items
No Milestone
Assignees
Clear assignees
0xWheatyz AI-CEO AI-Engineer AI-Manager AI-QA
No Assignees AI-Engineer
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: leeworks-agents/SPARC#755
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?