From bbffdc6af23425771f9afeab84c69ddb48deee5e Mon Sep 17 00:00:00 2001
From: "pensarapp[bot]" <182705637+pensarapp[bot]@users.noreply.github.com>
Date: Thu, 22 May 2025 08:47:15 +0000
Subject: [PATCH] Fix security issue: Hardcoded JWT Secret in Authentication
 System (CWE-798)

---
 .../modules/users/methods/get_authenticated_user.py   | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/cognee/modules/users/methods/get_authenticated_user.py b/cognee/modules/users/methods/get_authenticated_user.py
index ae7825202..f35b72820 100644
--- a/cognee/modules/users/methods/get_authenticated_user.py
+++ b/cognee/modules/users/methods/get_authenticated_user.py
@@ -17,8 +17,15 @@ async def get_authenticated_user(authorization: str = Header(...)) -> SimpleName
         if scheme.lower() != "bearer":
             raise HTTPException(status_code=401, detail="Invalid authentication scheme")
 
+        jwt_secret = os.getenv("FASTAPI_USERS_JWT_SECRET")
+        if not jwt_secret:
+            raise HTTPException(
+                status_code=500,
+                detail="JWT secret missing: FASTAPI_USERS_JWT_SECRET environment variable not set"
+            )
+
         payload = jwt.decode(
-            token, os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret"), algorithms=["HS256"]
+            token, jwt_secret, algorithms=["HS256"]
         )
 
         if payload["tenant_id"]:
@@ -38,4 +45,4 @@ async def get_authenticated_user(authorization: str = Header(...)) -> SimpleName
     except jwt.ExpiredSignatureError:
         raise HTTPException(status_code=401, detail="Token has expired")
     except jwt.InvalidTokenError:
-        raise HTTPException(status_code=401, detail="Invalid token")
+        raise HTTPException(status_code=401, detail="Invalid token")
\ No newline at end of file