fix(config): harden default JWT secret

Replace known development JWT secret placeholders with an ephemeral runtime secret during config loading.

Return LoadInfo so startup can warn when token persistence depends on a stable configured secret.

Update config docs and tests for default, legacy placeholder, custom, env, and empty secret behavior.
This commit is contained in:
2026-07-05 13:25:44 +08:00
parent 7b6587a951
commit 5eeb37389b
6 changed files with 131 additions and 16 deletions
+3 -1
View File
@@ -28,6 +28,8 @@ log:
file_level: debug # file: debug, info, warn, error
jwt:
secret: change-me-in-production
# Development placeholder. MyGO replaces this with an ephemeral runtime
# secret at startup; set a stable value for production.
secret: dev-secret-do-not-use-in-production
access_ttl: 15m
refresh_ttl: 168h