gmakstutis/cognee
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix security issue: Hard-coded JWT Secret Key in Authentication Backend (CWE-798)

Browse source
This commit is contained in:
pensarapp[bot] 2025-06-09 16:52:29 +00:00 committed by GitHub
parent ecbabbd261
commit ed988b5b50
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
cognee/modules/users/authentication/get_auth_backend.py
View file

@ -29,7 +29,11 @@ def get_auth_backend():
bearer_transport = BearerTransport(tokenUrl="api/v1/auth/login") bearer_transport = BearerTransport(tokenUrl="api/v1/auth/login")
def get_jwt_strategy() -> JWTStrategy[models.UP, models.ID]: def get_jwt_strategy() -> JWTStrategy[models.UP, models.ID]:
secret = os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret") secret = os.getenv("FASTAPI_USERS_JWT_SECRET")
if not secret:
raise RuntimeError(
"FASTAPI_USERS_JWT_SECRET environment variable must be set and non-empty for JWT authentication."
)
return CustomJWTStrategy(secret, lifetime_seconds=3600) return CustomJWTStrategy(secret, lifetime_seconds=3600)
auth_backend = AuthenticationBackend( auth_backend = AuthenticationBackend(