Home Explore Help
Sign In
yunoadmin
/
bambuddy
mirror of https://github.com/maziggy/bambuddy
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Document intentional JWT secret storage (CodeQL Alert #69)

Add explanatory comment for CodeQL alert about clear-text storage
of JWT secret. This is intentional and secure:
- JWT secrets must be readable by the application
- File permissions set to 0600 (owner read/write only)
- Standard practice for self-hosted apps (same as .env files)

The alert should be dismissed in GitHub Security tab as "Won't fix".
maziggy 3 months ago
parent
49b2252432
commit
09a405123a
1 changed files with 4 additions and 1 deletions
Split View Show Diff Stats
  1. 4 1
      backend/app/core/auth.py

+ 4 - 1
backend/app/core/auth.py
View File 

@@ -72,7 +72,10 @@ def _get_jwt_secret() -> str:
 
     # Try to save it
 
     try:
 
         data_dir.mkdir(parents=True, exist_ok=True)
 
-        secret_file.write_text(new_secret)
 
+        # Note: CodeQL flags this as "clear-text storage of sensitive information" but this is
 
+        # intentional and secure - JWT secrets must be readable by the app, we set 0600 permissions,
 
+        # and this is standard practice for self-hosted applications (same as .env files).
 
+        secret_file.write_text(new_secret)  # nosec B105 - intentional secure storage
 
         # Restrict permissions (owner read/write only)
 
         secret_file.chmod(0o600)
 
         logger.info("Generated new JWT secret and saved to %s", secret_file)