From 005d81a60f33c7e1f1f912e591e1a999bbfe94b4 Mon Sep 17 00:00:00 2001
From: saaa99999999 <yangjia3250749707@outlook.com>
Date: Sun, 24 May 2026 23:34:52 +0800
Subject: [PATCH] Remove hardcoded default JWT secret key and database password

The JWT signing key was hardcoded in config/env.py, allowing anyone with
access to the repository source code to forge valid JWT tokens for any
user and gain administrative access. The database password was also
hardcoded as a default value. Both defaults have been replaced with
empty strings; the values must now be set via environment variables
(JWT_SECRET_KEY, DB_PASSWORD) or .env files.
---
 ruoyi-fastapi-backend/config/env.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ruoyi-fastapi-backend/config/env.py b/ruoyi-fastapi-backend/config/env.py
index 3dd6604..94d6bcf 100644
--- a/ruoyi-fastapi-backend/config/env.py
+++ b/ruoyi-fastapi-backend/config/env.py
@@ -36,7 +36,7 @@ class JwtSettings(BaseSettings):
     Jwt配置
     """
 
-    jwt_secret_key: str = 'b01c66dc2c58dc6a0aabfe2144256be36226de378bf87f72c0c795dda67f4d55'
+    jwt_secret_key: str = ''  # REQUIRED: Set via JWT_SECRET_KEY env var
     jwt_algorithm: str = 'HS256'
     jwt_expire_minutes: int = 1440
     jwt_redis_expire_minutes: int = 30
@@ -51,7 +51,7 @@ class DataBaseSettings(BaseSettings):
     db_host: str = '127.0.0.1'
     db_port: int = 3306
     db_username: str = 'root'
-    db_password: str = 'mysqlroot'
+    db_password: str = ''  # Set via DB_PASSWORD env var
     db_database: str = 'ruoyi-fastapi'
     db_echo: bool = True
     db_max_overflow: int = 10