Hardcoding the JWT secret key can lead to arbitrary users spoofing tokens.

**Description:** Hardcoding the JWT secret key can lead to arbitrary users spoofing tokens. Since the travels-java-api is an open-source project, others can easily obtain the JWT secret key of travels-java-api. This allows them to use the JWT secret key to generate arbitrary JWT tokens and gain access to any user's permissions.

**Fix Suggestion:** Generate a random JWT secret key during project initialization and store it in the database.

**test code:**
![image](https://github.com/user-attachments/assets/65bdcf90-8bf3-4b36-81e8-8867199bcc9f)
file: 
travels-java-api-master\src\main\java\io\github\mariazevedo88\travelsjavaapi\filters\JwtAuthenticationTokenFilter.java
![image](https://github.com/user-attachments/assets/dbe12b26-e708-45c4-8d6a-5110f4ee2264)
![image](https://github.com/user-attachments/assets/04d5eed3-269f-4715-bbb9-c488bf462a29)




Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Hardcoding the JWT secret key can lead to arbitrary users spoofing tokens. #23

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Hardcoding the JWT secret key can lead to arbitrary users spoofing tokens. #23

Description

Metadata

Metadata

Assignees

Labels

Projects

Milestone

Relationships

Development

Issue actions