fix(config): harden default JWT secret
Replace known development JWT secret placeholders with an ephemeral runtime secret during config loading. Return LoadInfo so startup can warn when token persistence depends on a stable configured secret. Update config docs and tests for default, legacy placeholder, custom, env, and empty secret behavior.
This commit is contained in:
+3
-1
@@ -28,6 +28,8 @@ log:
|
||||
file_level: debug # file: debug, info, warn, error
|
||||
|
||||
jwt:
|
||||
secret: change-me-in-production
|
||||
# Development placeholder. MyGO replaces this with an ephemeral runtime
|
||||
# secret at startup; set a stable value for production.
|
||||
secret: dev-secret-do-not-use-in-production
|
||||
access_ttl: 15m
|
||||
refresh_ttl: 168h
|
||||
|
||||
Reference in New Issue
Block a user