From e47fda4872ea33c8ae0b4f0ea14a50bfcbe291e0 Mon Sep 17 00:00:00 2001
From: maozhen <maozhen@jiayinfintech.cn>
Date: Mon, 29 Dec 2025 14:39:13 +0800
Subject: [PATCH] ``` fix(auth): add error handling for JWT lifetime
 configuration

- Add try-catch block to handle invalid JWT_LIFETIME_SECONDS environment variable
- Default to 360 seconds when environment variable is not a valid integer
- Apply same fix to both API and client authentication backendsdocs(docker): add security warning for CORS configuration

- Add comment warning about default CORS_ALLOWED_ORIGINS setting
- Emphasize need to override wildcard with specific domains in production
```
---
 cognee/modules/users/authentication/get_api_auth_backend.py  | 5 ++++-
 .../modules/users/authentication/get_client_auth_backend.py  | 5 ++++-
 docker-compose.yml                                           | 1 +
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/cognee/modules/users/authentication/get_api_auth_backend.py b/cognee/modules/users/authentication/get_api_auth_backend.py
index 4c11d3903..ffb591a9d 100644
--- a/cognee/modules/users/authentication/get_api_auth_backend.py
+++ b/cognee/modules/users/authentication/get_api_auth_backend.py
@@ -16,7 +16,10 @@ def get_api_auth_backend():
 
     def get_jwt_strategy() -> JWTStrategy[models.UP, models.ID]:
         secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret")
-        lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600"))
+        try:
+            lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600"))
+        except ValueError:
+            lifetime_seconds = 3600
         
         return APIJWTStrategy(secret, lifetime_seconds=lifetime_seconds)
 
diff --git a/cognee/modules/users/authentication/get_client_auth_backend.py b/cognee/modules/users/authentication/get_client_auth_backend.py
index ba5dad2b3..bf794377d 100644
--- a/cognee/modules/users/authentication/get_client_auth_backend.py
+++ b/cognee/modules/users/authentication/get_client_auth_backend.py
@@ -18,7 +18,10 @@ def get_client_auth_backend():
         from .default.default_jwt_strategy import DefaultJWTStrategy
 
         secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret")
-        lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600"))
+        try:
+            lifetime_seconds = int(os.getenv("JWT_LIFETIME_SECONDS", "3600"))
+        except ValueError:
+            lifetime_seconds = 3600
 
         return DefaultJWTStrategy(secret, lifetime_seconds=lifetime_seconds)
 
diff --git a/docker-compose.yml b/docker-compose.yml
index 7df3c5695..ac5aebb39 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -15,6 +15,7 @@ services:
       - HOST=0.0.0.0
       - ENVIRONMENT=local
       - LOG_LEVEL=INFO
+      # CAUTION: Default '*' allows all origins. Override with specific domains in production.
       - CORS_ALLOWED_ORIGINS=${CORS_ALLOWED_ORIGINS:-*}
     extra_hosts:
       # Allows the container to reach your local machine using "host.docker.internal" instead of "localhost"