Skip to content

fix: remove the default value of process.env.JWT_SECRET #7

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
hexqi merged 1 commit into from
May 6, 2026
Merged

fix: remove the default value of process.env.JWT_SECRET #7

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion extensions/users-permissions/config/jwt.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -10,5 +10,5 @@
*
*/
module.exports = {
jwtSecret: process.env.JWT_SECRET || '873ad24f-5b34-4eed-a015-3a82b767728c',
jwtSecret: process.env.JWT_SECRET || '',

@coderabbitai coderabbitai Bot May 6, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

🧩 Analysis chain

🌐 Web query:

For Strapi v3.5.3 users-permissions, what happens if extensions/users-permissions/config/jwt.jssetsjwtSecret to an empty string? Does authentication fail, or can tokens be signed/verified with empty secret?

💡 Result:

If extensions/users-permissions/config/jwt.js sets jwtSecret to an empty string in Strapi v3.5.3, authentication will not work with Strapi-issued JWTs (and you should expect JWT signing/verification to fail). Reasoning grounded in Strapi’s own JWT configuration guidance: Strapi’s Users & Permissions JWTs are digitally signed, and “to sign a token a secret is required”. Strapi’s default behavior is to generate/store a secret in extensions/users-permissions/config/jwt.js, and it recommends supplying a custom JWT_SECRET via environment variable for production use [1][2]. That implies Strapi requires a non-empty secret value for HMAC signing and verification. Additionally, Strapi’s users-permissions plugin has been observed to error when the JWT secret is missing/invalid rather than silently accepting it (e.g., “Missing jwtSecret. Please, set configuration variable ‘jwtSecret’ …” reported by users when configuration isn’t present) [3]. While those reports don’t explicitly mention the empty-string case, the security requirement (“secret is required”) and the plugin’s behavior for missing configuration strongly indicate that an empty string will be treated as an unusable secret for signing/verifying. Practical conclusion: set jwtSecret to a non-empty value (recommended: a strong random value provided via JWT_SECRET), not '' [1][2]. If you currently have '', update it and ensure any already-issued tokens are regenerated.

Citations:

🏁 Script executed:

# Check if the file exists and read the relevant section
if [ -f "extensions/users-permissions/config/jwt.js" ]; then
  echo "=== File exists. Content with line numbers ==="
  cat -n "extensions/users-permissions/config/jwt.js"
else
  echo "File not found at: extensions/users-permissions/config/jwt.js"
  echo "Searching for jwt.js files in the repo..."
  find . -name "jwt.js" -type f 2>/dev/null | head -20
fi

Repository: opentiny/tiny-engine-data-center

Length of output: 750

🏁 Script executed:

# Search for other jwtSecret or JWT_SECRET references in the codebase
echo "=== Searching for jwtSecret references ==="
rg "jwtSecret" --type js --type ts -i -A 2 -B 2 | head -100

echo ""
echo "=== Searching for JWT_SECRET environment variable references ==="
rg "JWT_SECRET" --type js --type ts -A 2 -B 2 | head -100

Repository: opentiny/tiny-engine-data-center

Length of output: 915

🏁 Script executed:

# Check Strapi and users-permissions versions in package.json or similar
echo "=== Checking package.json for Strapi/users-permissions versions ==="
if [ -f "package.json" ]; then
  cat package.json | grep -A 5 -B 5 "strapi\|users-permission" | head -50
fi

echo ""
echo "=== Checking for strapi version in root or plugin files ==="
find . -name "package.json" -type f | xargs grep -l "strapi" 2>/dev/null | head -5

Repository: opentiny/tiny-engine-data-center

Length of output: 1151

Require JWT_SECRET environment variable at startup; do not fall back to empty string.

The empty-string fallback at line 13 will cause JWT operations to fail at runtime. Strapi v3.5.3 users-permissions requires a non-empty secret for signing and verifying tokens. Fail fast during configuration by throwing if JWT_SECRET is absent, rather than deferring the error to auth endpoints.

Suggested fix 
-module.exports = {
-  jwtSecret: process.env.JWT_SECRET || '',
-};
+const jwtSecret = process.env.JWT_SECRET;
+
+if (!jwtSecret) {
+  throw new Error('Missing required env var: JWT_SECRET');
+}
+
+module.exports = {
+  jwtSecret,
+};
🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@extensions/users-permissions/config/jwt.js` at line 13, The jwtSecret
configuration currently falls back to an empty string which defers a hard
failure; change it to require JWT_SECRET at startup by checking
process.env.JWT_SECRET and throwing a clear Error if it's missing, then assign
jwtSecret to process.env.JWT_SECRET (remove the || '' fallback) so the
users-permissions plugin fails fast; reference the jwtSecret export and ensure
the thrown error occurs before the config object is returned/used.

};
Loading