fix: remove the default value of process.env.JWT_SECRET

[wuyiping0628]

English | 简体中文

PR

PR Checklist

Please check if your PR fulfills the following requirements:

• The commit message follows our Commit Message Guidelines
• Tests for the changes have been added (for bug fixes / features)
• Docs have been added / updated (for bug fixes / features)
• Built its own designer, fully self-validated

PR Type

What kind of change does this PR introduce?

• Bugfix
• Feature
• Code style update (formatting, local variables)
• Refactoring (no functional changes, no api changes)
• Build related changes
• CI related changes
• Documentation content changes
• Other... Please describe:

Background and solution

What is the current behavior?

Issue Number: N/A

What is the new behavior?

Does this PR introduce a breaking change?

• Yes
• No

Other information

Summary by CodeRabbit

• Chores
  • JWT authentication configuration has been updated to require explicit environment variable setup. The JWT_SECRET setting is now sourced entirely from the JWT_SECRET environment variable rather than using a built-in default value. Please ensure your deployment environment has the JWT_SECRET variable properly configured for authentication functionality.

[coderabbitai]

Walkthrough

A JWT configuration secret fallback is updated from a hard-coded UUID to an empty string, forcing explicit environment variable configuration. This is a single-line change affecting only the authentication configuration module.

Changes

JWT Configuration Security

Layer / File(s)	Summary
Configuration Update extensions/users-permissions/config/jwt.js	jwtSecret fallback value changed from hard-coded UUID '873ad24f-5b34-4eed-a015-3a82b767728c' to empty string '', requiring explicit JWT_SECRET environment variable setup.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 A secret once carved in stone,
Now whispers: "Set your own throne!"
No defaults to hide,
Just truth, side by side,
Security blooms when seeds are sown. 🌱

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: removing the hard-coded default value from JWT_SECRET configuration, leaving only the environment variable fallback.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@extensions/users-permissions/config/jwt.js`:
- Line 13: The jwtSecret configuration currently falls back to an empty string
which defers a hard failure; change it to require JWT_SECRET at startup by
checking process.env.JWT_SECRET and throwing a clear Error if it's missing, then
assign jwtSecret to process.env.JWT_SECRET (remove the || '' fallback) so the
users-permissions plugin fails fast; reference the jwtSecret export and ensure
the thrown error occurs before the config object is returned/used.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: f7e5f62e-abf3-4ddf-b677-fbf73cdedb3c

📥 Commits

Reviewing files that changed from the base of the PR and between 6ba323a and afc417f.

📒 Files selected for processing (1)

• extensions/users-permissions/config/jwt.js

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

For Strapi v3.5.3 users-permissions, what happens if extensions/users-permissions/config/jwt.jssetsjwtSecret to an empty string? Does authentication fail, or can tokens be signed/verified with empty secret?

💡 Result:

If extensions/users-permissions/config/jwt.js sets jwtSecret to an empty string in Strapi v3.5.3, authentication will not work with Strapi-issued JWTs (and you should expect JWT signing/verification to fail). Reasoning grounded in Strapi’s own JWT configuration guidance: Strapi’s Users & Permissions JWTs are digitally signed, and “to sign a token a secret is required”. Strapi’s default behavior is to generate/store a secret in extensions/users-permissions/config/jwt.js, and it recommends supplying a custom JWT_SECRET via environment variable for production use [1][2]. That implies Strapi requires a non-empty secret value for HMAC signing and verification. Additionally, Strapi’s users-permissions plugin has been observed to error when the JWT secret is missing/invalid rather than silently accepting it (e.g., “Missing jwtSecret. Please, set configuration variable ‘jwtSecret’ …” reported by users when configuration isn’t present) [3]. While those reports don’t explicitly mention the empty-string case, the security requirement (“secret is required”) and the plugin’s behavior for missing configuration strongly indicate that an empty string will be treated as an unusable secret for signing/verifying. Practical conclusion: set jwtSecret to a non-empty value (recommended: a strong random value provided via JWT_SECRET), not '' [1][2]. If you currently have '', update it and ensure any already-issued tokens are regenerated.

Citations:

• 1: https://docs.strapi.io/developer-docs/latest/guides/jwt-validation.html
• 2: Should JWT secret be generated and versioned by default? strapi/strapi#6238
• 3: https://forum.strapi.io/t/problem-on-heroku-jwtsecret-jwt-secret-by-overwrite-plugin-users-permissions/37166

---

🏁 Script executed:

# Check if the file exists and read the relevant section
if [ -f "extensions/users-permissions/config/jwt.js" ]; then
  echo "=== File exists. Content with line numbers ==="
  cat -n "extensions/users-permissions/config/jwt.js"
else
  echo "File not found at: extensions/users-permissions/config/jwt.js"
  echo "Searching for jwt.js files in the repo..."
  find . -name "jwt.js" -type f 2>/dev/null | head -20
fi

Repository: opentiny/tiny-engine-data-center

Length of output: 750

---

🏁 Script executed:

# Search for other jwtSecret or JWT_SECRET references in the codebase
echo "=== Searching for jwtSecret references ==="
rg "jwtSecret" --type js --type ts -i -A 2 -B 2 | head -100

echo ""
echo "=== Searching for JWT_SECRET environment variable references ==="
rg "JWT_SECRET" --type js --type ts -A 2 -B 2 | head -100

Repository: opentiny/tiny-engine-data-center

Length of output: 915

---

🏁 Script executed:

# Check Strapi and users-permissions versions in package.json or similar
echo "=== Checking package.json for Strapi/users-permissions versions ==="
if [ -f "package.json" ]; then
  cat package.json | grep -A 5 -B 5 "strapi\|users-permission" | head -50
fi

echo ""
echo "=== Checking for strapi version in root or plugin files ==="
find . -name "package.json" -type f | xargs grep -l "strapi" 2>/dev/null | head -5

Repository: opentiny/tiny-engine-data-center

Length of output: 1151

---

Require JWT_SECRET environment variable at startup; do not fall back to empty string.

The empty-string fallback at line 13 will cause JWT operations to fail at runtime. Strapi v3.5.3 users-permissions requires a non-empty secret for signing and verifying tokens. Fail fast during configuration by throwing if JWT_SECRET is absent, rather than deferring the error to auth endpoints.

Suggested fix

-module.exports = {
-  jwtSecret: process.env.JWT_SECRET || '',
-};
+const jwtSecret = process.env.JWT_SECRET;
+
+if (!jwtSecret) {
+  throw new Error('Missing required env var: JWT_SECRET');
+}
+
+module.exports = {
+  jwtSecret,
+};

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@extensions/users-permissions/config/jwt.js` at line 13, The jwtSecret
configuration currently falls back to an empty string which defers a hard
failure; change it to require JWT_SECRET at startup by checking
process.env.JWT_SECRET and throwing a clear Error if it's missing, then assign
jwtSecret to process.env.JWT_SECRET (remove the || '' fallback) so the
users-permissions plugin fails fast; reference the jwtSecret export and ensure
the thrown error occurs before the config object is returned/used.