fix(auth): fail fast on blank JWT key + libargon2-dev in Dockerfile

Bulletdev · Bulletdev · commit a1952617dc15 · 2026-05-19T15:28:10.000-03:00
jwt 3.2.0 rejects nil/empty HMAC keys (CVE-2026-45363) if JWT_SECRET_KEY and secret_key_base are both absent, the old code would silently use nil and produce cryptic 401s at request time. Now raises at boot so Coolify catches it in deploy logs, not in prod. - jwt_service.rb: tap guard raises on blank SECRET_KEY at class load - Dockerfile: add libargon2-dev (required native dep for argon2 gem) - codeql.yml: add pull-requests: write (403 when commenting on PRs
diff --git a/.github/workflows/codeql.yml b/.github/workflows/codeql.yml
@@ -30,6 +30,7 @@ on:
 
 permissions:
   security-events: write  # upload SARIF para o Security tab
+  pull-requests: write    # postar comentario de resumo no PR
   packages: read
   actions: read
   contents: read
diff --git a/Dockerfile b/Dockerfile
@@ -8,6 +8,7 @@ RUN apt-get update -qq && apt-get install -y --no-install-recommends \
     build-essential \
     libpq-dev \
     libyaml-dev \
+    libargon2-dev \
     git \
     tzdata \
     curl \
diff --git a/app/modules/authentication/services/jwt_service.rb b/app/modules/authentication/services/jwt_service.rb
@@ -7,7 +7,11 @@
 # - Requires TokenBlacklist model with methods: blacklisted?(jti), add_to_blacklist(jti, expires_at)
 # - Requires User model with attributes: id, organization_id, role, email
 class JwtService
-  SECRET_KEY = ENV.fetch('JWT_SECRET_KEY') { Rails.application.secret_key_base }
+  # jwt >= 3.2.0 rejects nil/empty HMAC keys (CVE-2026-45363).
+  # Raise at boot time so a missing env var is caught immediately, not at first request.
+  SECRET_KEY = ENV.fetch('JWT_SECRET_KEY') { Rails.application.secret_key_base }.tap do |key|
+    raise 'JWT_SECRET_KEY / secret_key_base must not be blank' if key.blank?
+  end
   EXPIRATION_HOURS = ENV.fetch('JWT_EXPIRATION_HOURS', 24).to_i
   REFRESH_EXPIRATION_DAYS = ENV.fetch('JWT_REFRESH_EXPIRATION_DAYS', 7).to_i
 
