fix: require explicit JWT secret configuration

[hexqi]

Summary

• remove the hard-coded fallback JWT secret and require SECRET_STRING
• fail fast at startup when the JWT secret is missing or invalid
• rename the env var name constant for clarity and use UTF-8 when building the signing key

Testing

• not run: mvn -pl base -DskipTests compile could not start because JAVA_HOME is not configured in this environment

Summary by CodeRabbit

Release Notes

• Bug Fixes
  • JWT secret validation now occurs at application startup, failing immediately if not properly configured.
  • Secret key encoding now uses UTF-8 charset consistently across the system.

[coderabbitai]

Warning

Rate limit exceeded

@hexqi has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 57 minutes and 30 seconds before requesting another review.

Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 57 minutes and 30 seconds.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ec3adad5-c6b6-4990-a181-7ba23c188345

📥 Commits

Reviewing files that changed from the base of the PR and between f3180fb and ff3b3ba.

📒 Files selected for processing (1)

• base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java

Walkthrough

JWT secret configuration now enforces strict validation at startup. The change removes fallback default secret behavior, adds mandatory @PostConstruct validation that throws IllegalStateException on missing/blank secrets, makes secret retrieval fail-fast, and standardizes secret encoding to UTF-8 charset.

Changes

Cohort / File(s)	Summary
JWT Secret Configuration base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java	Removed default secret fallback; added startup-time validation via validateSecretConfiguration() @PostConstruct method; made getSecretString() throw IllegalStateException on missing/blank values; changed secret encoding from platform-default to UTF-8 charset; updated imports to use jakarta.annotation.PostConstruct.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Poem

🐰 A secret once hidden with care,
Now checked before startup's first prayer,
No defaults to hide,
UTF-8 as guide,
Strict validation keeps mischief bare! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the primary change: enforcing explicit JWT secret configuration instead of using fallback defaults.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🧹 Nitpick comments (1)

base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java (1)

62-74: Consider caching the derived SecretKey.

getSecretKey() is invoked on every token generation/parse/validation call, each time hitting System.getenv and rebuilding the HMAC key. Since SECRET_STRING is validated once at startup and is not expected to change at runtime, you can compute the SecretKey once (e.g., in validateSecretConfiguration() into a private SecretKey secretKey field, or a static final lazily initialized holder) and reuse it. Minor, but removes repeated allocation/env lookups on a hot path.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java` around lines
62 - 74, getSecretKey() currently calls getSecretString() on every use which
repeats System.getenv and rebuilds the HMAC key; compute and cache the SecretKey
once and reuse it: add a private static final (or a private static volatile with
lazy holder) SecretKey field and initialize it either at class load or inside
validateSecretConfiguration() after validating SECRET_ENV_NAME, then have
getSecretKey() return that cached field instead of recreating it each call.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java`:
- Around line 49-60: validateSecretConfiguration() in JwtUtil now throws on
missing SECRET_STRING/SECRET_ENV_NAME which will break existing containers;
update deployment manifests and docs to inject this env var and document the
breaking change. Modify the tiny-engine-back service environment in
docker-compose.yml and the Dockerfile (and any sample .env or README) to define
SECRET_STRING (or set SECRET_ENV_NAME to the correct variable), ensure
JwtUtil.getSecretKey() can read it at container start, and add a clear note in
the PR/release notes that SECRET_STRING is required before upgrading.
- Around line 72-74: The current getSecretKey() uses
Keys.hmacShaKeyFor(getSecretString().getBytes(...)) which will throw
WeakKeyException for secrets under 32 bytes and, combined with the
`@PostConstruct` validateSecretConfiguration check, will block startup; update
validateSecretConfiguration (and any startup check) to explicitly validate the
SECRET_STRING length in UTF-8 bytes (require >=32 bytes for HS256) and throw a
clear, distinct IllegalStateException messages for missing vs too-short/weak
secrets (e.g., "SECRET_STRING is not set" vs "SECRET_STRING is too weak: must be
at least 32 bytes/characters in UTF-8"); alternatively catch WeakKeyException in
getSecretKey() and rethrow a clearer exception referencing SECRET_STRING; also
update README/deployment docs to state the minimum 32-byte requirement for
SECRET_STRING.

---

Nitpick comments:
In `@base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java`:
- Around line 62-74: getSecretKey() currently calls getSecretString() on every
use which repeats System.getenv and rebuilds the HMAC key; compute and cache the
SecretKey once and reuse it: add a private static final (or a private static
volatile with lazy holder) SecretKey field and initialize it either at class
load or inside validateSecretConfiguration() after validating SECRET_ENV_NAME,
then have getSecretKey() return that cached field instead of recreating it each
call.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a619d375-d993-4bc6-958a-50004cc48487

📥 Commits

Reviewing files that changed from the base of the PR and between 0cad53a and f3180fb.

📒 Files selected for processing (1)

• base/src/main/java/com/tinyengine/it/login/utils/JwtUtil.java