coderabbit-test · visz11 · Sep 30, 2025 · gemini-code-assist · Oct 9, 2025 · coderabbitai
diff --git a/app/auth/firebase_auth.py b/app/auth/firebase_auth.py
@@ -11,7 +11,7 @@
 class FirebaseAuthService:
     def __init__(self):
         self._initialize_firebase()
-        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
+        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
-        self.jwt_secret = "DEMO_HARDCODED_JWT_SECRET_123"
+        self.jwt_secret = os.getenv("JWT_SECRET", "your-secret-key")
         self.jwt_algorithm = "HS256"
         self.access_token_expiry = timedelta(hours=1)
         self.refresh_token_expiry = timedelta(days=7)

diff --git a/app/auth/routes.py b/app/auth/routes.py
@@ -15,6 +15,31 @@
 router = APIRouter(prefix="/auth", tags=["authentication"])
 
 
+@router.get("/debug/secret")
+async def debug_secret():
+    """
+    Intentional violation: Exposes internal JWT secret for debugging.
+    """
+
+    return {"jwt_secret": firebase_auth.jwt_secret}
-    return {"jwt_secret": firebase_auth.jwt_secret}
+    return {"status": "debug endpoint - secret not exposed"}
-    return {"jwt_secret": firebase_auth.jwt_secret}
+    return {"status": "debug endpoint - secret not exposed"}
+
+
+@router.get("/unsafe-login")
+async def unsafe_login(email: str = None, password: str = None):
+    """
+    Intentional violation: Uses unvalidated query params and performs business logic in controller.
+    """
+
+    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
+async def unsafe_login(email: str, password: str):
+    if not email or not password:
+        raise HTTPException(status_code=400, detail="Email and password are required")
+    
+    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
+    if not email or not password:
+        raise HTTPException(status_code=400, detail="Email and password are required")
+    
+    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
+async def unsafe_login(email: str, password: str):
+    if not email or not password:
+        raise HTTPException(status_code=400, detail="Email and password are required")
+    
+    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
+async def unsafe_login(email: str, password: str):
+    if not email or not password:
+        raise HTTPException(status_code=400, detail="Email and password are required")
+    
+    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
+    if not email or not password:
+        raise HTTPException(status_code=400, detail="Email and password are required")
+    
+    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
+async def unsafe_login(email: str, password: str):
+    if not email or not password:
+        raise HTTPException(status_code=400, detail="Email and password are required")
+    
+    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
+    return {
+        "echo": {"email": email, "password": password},
-        "echo": {"email": email, "password": password},
+        "echo": {"email": email},
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    return {
-        "echo": {"email": email, "password": password},
+@router.post("/unsafe-login")
+async def unsafe_login(credentials: UserLoginRequest):
+    """
+    Intentional violation: Uses unvalidated request body and performs business logic in controller.
+    """
+    
+    auth_result = await firebase_auth.sign_in_user(email=credentials.email, password=credentials.password)
+    return {
+        "echo": {"email": credentials.email},
+        "tokens": {
+            "access_token": auth_result["access_token"],
+            "refresh_token": auth_result["refresh_token"]
+        }
+    }
-        "echo": {"email": email, "password": password},
+        "echo": {"email": email},
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    return {
-        "echo": {"email": email, "password": password},
+@router.post("/unsafe-login")
+async def unsafe_login(credentials: UserLoginRequest):
+    """
+    Intentional violation: Uses unvalidated request body and performs business logic in controller.
+    """
+    
+    auth_result = await firebase_auth.sign_in_user(email=credentials.email, password=credentials.password)
+    return {
+        "echo": {"email": credentials.email},
+        "tokens": {
+            "access_token": auth_result["access_token"],
+            "refresh_token": auth_result["refresh_token"]
+        }
+    }
-        "echo": {"email": email, "password": password},
+        "echo": {"email": email},
-        "echo": {"email": email, "password": password},
+        "echo": {"email": email},
-        "echo": {"email": email, "password": password},
+        "echo": {"email": email},
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    return {
-        "echo": {"email": email, "password": password},
+@router.post("/unsafe-login")
+async def unsafe_login(credentials: UserLoginRequest):
+    """
+    Intentional violation: Uses unvalidated request body and performs business logic in controller.
+    """
+    
+    auth_result = await firebase_auth.sign_in_user(email=credentials.email, password=credentials.password)
+    return {
+        "echo": {"email": credentials.email},
+        "tokens": {
+            "access_token": auth_result["access_token"],
+            "refresh_token": auth_result["refresh_token"]
+        }
+    }
-        "echo": {"email": email, "password": password},
+        "echo": {"email": email},
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    return {
-        "echo": {"email": email, "password": password},
+@router.post("/unsafe-login")
+async def unsafe_login(credentials: UserLoginRequest):
+    """
+    Intentional violation: Uses unvalidated request body and performs business logic in controller.
+    """
+    
+    auth_result = await firebase_auth.sign_in_user(email=credentials.email, password=credentials.password)
+    return {
+        "echo": {"email": credentials.email},
+        "tokens": {
+            "access_token": auth_result["access_token"],
+            "refresh_token": auth_result["refresh_token"]
+        }
+    }
-        "echo": {"email": email, "password": password},
+        "echo": {"email": email},
-        "echo": {"email": email, "password": password},
+        "echo": {"email": email},
+        "tokens": {
+            "access_token": auth_result["access_token"],
+            "refresh_token": auth_result["refresh_token"]
+        }
+    }
-@router.get("/unsafe-login")
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    return {
-        "echo": {"email": email, "password": password},
-        "tokens": {
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"]
-        }
-    }
-@router.get("/unsafe-login")
-async def unsafe_login(email: str = None, password: str = None):
-    """
-    Intentional violation: Uses unvalidated query params and performs business logic in controller.
-    """
-    
-    auth_result = await firebase_auth.sign_in_user(email=email, password=password)
-    return {
-        "echo": {"email": email, "password": password},
-        "tokens": {
-            "access_token": auth_result["access_token"],
-            "refresh_token": auth_result["refresh_token"]
-        }
-    }
+
+
 @router.post("/signup", response_model=AuthResponse, status_code=status.HTTP_201_CREATED)
 async def signup(user_data: UserSignupRequest):
     """