Fix security issue: Hardcoded JWT Secret in Authentication System (CWE-798)

2025-05-22 08:47:15 +00:00
1 changed files with 9 additions and 2 deletions
--- a/cognee/modules/users/methods/get_authenticated_user.py
+++ b/cognee/modules/users/methods/get_authenticated_user.py
@ -17,8 +17,15 @@ async def get_authenticated_user(authorization: str = Header(...)) -> SimpleName
        if scheme.lower() != "bearer":
            raise HTTPException(status_code=401, detail="Invalid authentication scheme")

+        jwt_secret = os.getenv("FASTAPI_USERS_JWT_SECRET")
+        if not jwt_secret:
+            raise HTTPException(
+                status_code=500,
+                detail="JWT secret missing: FASTAPI_USERS_JWT_SECRET environment variable not set"
+            )
+
        payload = jwt.decode(
-            token, os.getenv("FASTAPI_USERS_JWT_SECRET", "super_secret"), algorithms=["HS256"]
+            token, jwt_secret, algorithms=["HS256"]
        )

        if payload["tenant_id"]:
@ -38,4 +45,4 @@ async def get_authenticated_user(authorization: str = Header(...)) -> SimpleName
    except jwt.ExpiredSignatureError:
        raise HTTPException(status_code=401, detail="Token has expired")
    except jwt.InvalidTokenError:
-        raise HTTPException(status_code=401, detail="Invalid token")
+        raise HTTPException(status_code=401, detail="Invalid token")