lib/helpers/config.js JWT_DEFAULT_SECRETS hardcodes a set of default dev JWT secret values that are named after specific consumer projects. In a public OSS stack these are downstream references that should not appear in the repo (per the project's no-consumer-refs convention).
Impact: low — these are dev-only placeholder secrets (production must set a real secret; see the fail-closed validateJwtSecret path). The concern is repo hygiene / information leak, not an exploitable secret.
Action:
- Replace the consumer-named entries with generic placeholders (e.g.
Project1NodeDevSecret), OR
- Restructure so per-consumer dev secrets live in each consumer's own downstream config, leaving the stack with a single generic default.
Surfaced during a security-audit pre-push review (epic #3848). Pre-existing — not introduced by that epic.
lib/helpers/config.jsJWT_DEFAULT_SECRETShardcodes a set of default dev JWT secret values that are named after specific consumer projects. In a public OSS stack these are downstream references that should not appear in the repo (per the project's no-consumer-refs convention).Impact: low — these are dev-only placeholder secrets (production must set a real secret; see the fail-closed
validateJwtSecretpath). The concern is repo hygiene / information leak, not an exploitable secret.Action:
Project1NodeDevSecret), ORSurfaced during a security-audit pre-push review (epic #3848). Pre-existing — not introduced by that epic.