Skip to content

Remove insecure JWT secret fallback to literal string 'secret' #283

Description

@JSE19

Description: Both hashToken() and issueJwt() in Sep10Service use this.configService.get('SEP10_JWT_SECRET') || 'secret' as fallback. If the env var is empty or unset at runtime, the JWT secret becomes the literal string 'secret'. An attacker who knows this can forge valid JWTs arbitrarily.
Acceptance Criteria:

  • Remove the '|| 'secret' fallback from both hashToken() and issueJwt()
  • Throw a Configuration error if SEP10_JWT_SECRET is missing at startup
  • The Joi validation schema already requires min(32) for SEP10_JWT_SECRET
  • Unit test verifies that empty secret throws instead of fallback

Metadata

Metadata

Assignees

Labels

Stellar WaveIssues in the Stellar wave programbugSomething isn't working

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions