JWT_SECRET_KEY fix: added validation, + updated .env + added tests

Author: Max Azatian

backend/.env

@@ -1,5 +1,5 @@
 PROJECT_NAME=integr8scode
-SECRET_KEY=your_secret_key_here
+JWT_SECRET_KEY=your_secret_key_here
 ALGORITHM=HS256
 ACCESS_TOKEN_EXPIRE_MINUTES=30
 MONGODB_URL=mongodb://mongo:27017/integr8scode

backend/app/config.py

@@ -2,14 +2,14 @@
 
 from app.runtime_registry import EXAMPLE_SCRIPTS as EXEC_EXAMPLE_SCRIPTS
 from app.runtime_registry import SUPPORTED_RUNTIMES as RUNTIME_MATRIX
-from pydantic import Field
+from pydantic import Field, field_validator
 from pydantic_settings import BaseSettings
 
 
 class Settings(BaseSettings):
     PROJECT_NAME: str = "integr8scode"
     API_V1_STR: str = "/api/v1"
-    SECRET_KEY: str = "default_secret_key"
+    SECRET_KEY: str = Field(default=None, env="JWT_SECRET_KEY")
     ALGORITHM: str = "HS256"
     ACCESS_TOKEN_EXPIRE_MINUTES: int = 30
     MONGODB_URL: str = "mongodb://mongo:27017/integr8scode"
@@ -43,6 +43,17 @@ class Settings(BaseSettings):
 
     TESTING: bool = False
 
+    @field_validator("SECRET_KEY")
+    @classmethod
+    def validate_secret_key(cls, v: Optional[str]) -> str:
+        if not v:
+            raise ValueError("JWT_SECRET_KEY environment variable must be set")
+        if len(v) < 32:
+            raise ValueError("JWT_SECRET_KEY must be at least 32 characters long")
+        if v == "your_secret_key_here" or v == "default_secret_key":
+            raise ValueError("JWT_SECRET_KEY must not use default placeholder values")
+        return v
+
     class Config:
         env_file = ".env"
 

backend/tests/unit/test_config.py

@@ -0,0 +1,54 @@
+import os
+from unittest import mock
+
+import pytest
+from pydantic import ValidationError
+
+from app.config import Settings
+
+
+class TestSettingsValidation:
+    def test_secret_key_missing(self):
+        with mock.patch.dict(os.environ, {}, clear=True):
+            with pytest.raises(ValidationError) as exc_info:
+                Settings()
+            
+            errors = exc_info.value.errors()
+            assert len(errors) == 1
+            assert errors[0]["loc"] == ("SECRET_KEY",)
+            assert "JWT_SECRET_KEY environment variable must be set" in errors[0]["msg"]
+
+    def test_secret_key_too_short(self):
+        with mock.patch.dict(os.environ, {"JWT_SECRET_KEY": "short_key"}, clear=True):
+            with pytest.raises(ValidationError) as exc_info:
+                Settings()
+            
+            errors = exc_info.value.errors()
+            assert len(errors) == 1
+            assert errors[0]["loc"] == ("SECRET_KEY",)
+            assert "JWT_SECRET_KEY must be at least 32 characters long" in errors[0]["msg"]
+
+    def test_secret_key_default_placeholder(self):
+        test_cases = ["your_secret_key_here", "default_secret_key"]
+        
+        for placeholder in test_cases:
+            with mock.patch.dict(os.environ, {"JWT_SECRET_KEY": placeholder}, clear=True):
+                with pytest.raises(ValidationError) as exc_info:
+                    Settings()
+                
+                errors = exc_info.value.errors()
+                assert len(errors) == 1
+                assert errors[0]["loc"] == ("SECRET_KEY",)
+                assert "JWT_SECRET_KEY must not use default placeholder values" in errors[0]["msg"]
+
+    def test_secret_key_valid(self):
+        valid_key = "a" * 32  # 32 character key
+        with mock.patch.dict(os.environ, {"JWT_SECRET_KEY": valid_key}, clear=True):
+            settings = Settings()
+            assert settings.SECRET_KEY == valid_key
+
+    def test_secret_key_longer_than_minimum(self):
+        long_key = "a" * 64  # 64 character key
+        with mock.patch.dict(os.environ, {"JWT_SECRET_KEY": long_key}, clear=True):
+            settings = Settings()
+            assert settings.SECRET_KEY == long_key