gmakstutis/cognee
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix security issue: Hardcoded JWT Secret Fallback in Authentication System (CWE-798)

Browse source
This commit is contained in:
pensarapp[bot] 2025-06-09 16:52:07 +00:00 committed by GitHub
parent ecbabbd261
commit b559c91da1
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
cognee/modules/users/methods/get_authenticated_user.py
View file

@ -28,8 +28,13 @@ async def get_authenticated_user(
token = creds.credentials token = creds.credentials
try: try:
secret = os.getenv("FASTAPI_USERS_JWT_SECRET")
if not secret:
raise HTTPException(
status_code=500, detail="JWT secret key is not configured on the server"
)
payload = jwt.decode( payload = jwt.decode(
token, os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret"), algorithms=["HS256"] token, secret, algorithms=["HS256"]
) )
auth_data = SimpleNamespace(id=UUID(payload["user_id"])) auth_data = SimpleNamespace(id=UUID(payload["user_id"]))
@ -38,4 +43,4 @@ async def get_authenticated_user(
except jwt.ExpiredSignatureError: except jwt.ExpiredSignatureError:
raise HTTPException(status_code=401, detail="Token has expired") raise HTTPException(status_code=401, detail="Token has expired")
except jwt.InvalidTokenError: except jwt.InvalidTokenError:
raise HTTPException(status_code=401, detail="Invalid token") raise HTTPException(status_code=401, detail="Invalid token")