fix: remove SECRET_TOKEN static API key requirement (#479)

Users create their own API tokens via /tokens/generate (stored in
FalkorDB), so the static SECRET_TOKEN env var is redundant. Removes:
- The SECRET_TOKEN module-level variable and hmac check in validate_user
- The hmac import (no longer needed)
- All references in .env.example, CI workflows, and test conftest

Reverts the hard requirement introduced in #476.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: gkorland

.env.example

@@ -44,9 +44,9 @@ FALKORDB_URL=redis://localhost:6379/0  # REQUIRED - change to your FalkorDB URL
 # -----------------------------
 # API / secret tokens
 # -----------------------------
-# REQUIRED: static bearer token for internal / programmatic API access.
-# The server refuses to start when this is missing.
-SECRET_TOKEN=your_secret_token
+# Optional: static bearer token for internal / programmatic API access.
+# When set, this token is accepted as a "master" API key.
+# When unset, only user-generated tokens are accepted.
 # SECRET_TOKEN_ERP=your_erp_token
 
 # -----------------------------

.github/workflows/playwright.yml

@@ -136,7 +136,6 @@ jobs:
       env:
         PYTHONUNBUFFERED: 1
         FASTAPI_SECRET_KEY: test-secret-key-for-ci
-        SECRET_TOKEN: test-secret-token-for-ci
         APP_ENV: development
         FASTAPI_DEBUG: False
         FALKORDB_URL: redis://localhost:6379

api/auth/user_management.py

@@ -1,7 +1,6 @@
 """User management and authentication functions for text2sql API."""
 
 import base64
-import hmac
 import logging
 import os
 import secrets
@@ -20,16 +19,6 @@
         "FASTAPI_SECRET_KEY not set, using generated key. Set this in production!"
     )
 
-# Static API token for internal / programmatic access.
-# REQUIRED: the server refuses to start when this is missing so that
-# an unconfigured deployment never silently disables authentication.
-SECRET_TOKEN: str = os.environ.get("SECRET_TOKEN", "")
-if not SECRET_TOKEN:
-    raise RuntimeError(
-        "SECRET_TOKEN environment variable is required but not set. "
-        "Set it to a strong, random value before starting the server."
-    )
-
 
 class IdentityInfo(BaseModel):
     """
@@ -249,15 +238,6 @@ async def validate_user(request: Request) -> Tuple[Optional[Dict[str, Any]], boo
         if not api_token:
             return None, False
 
-        # Accept the static SECRET_TOKEN for internal / programmatic access.
-        # Uses constant-time comparison to prevent timing attacks.
-        if hmac.compare_digest(api_token, SECRET_TOKEN):
-            return {
-                "email": "api@internal",
-                "name": "API",
-                "picture": None,
-            }, True
-
         db_info = await _get_user_info(api_token)
 
         if db_info:

tests/conftest.py

@@ -4,10 +4,6 @@
 import subprocess
 import time
 
-# SECRET_TOKEN must be set before any test imports api.index (which triggers
-# app creation and the startup SECRET_TOKEN requirement check).
-os.environ.setdefault("SECRET_TOKEN", "test-secret-token")
-
 import pytest  # pylint: disable=wrong-import-position
 import requests  # pylint: disable=wrong-import-position
 
@@ -31,7 +27,6 @@ def fastapi_app():
         'GOOGLE_CLIENT_SECRET': 'test-google-client-secret',
         'GITHUB_CLIENT_ID': 'test-github-client-id',
         'GITHUB_CLIENT_SECRET': 'test-github-client-secret',
-        'SECRET_TOKEN': 'test-secret-token',
         'ENABLE_TEST_AUTH': 'true',  # Enable test auth bypass for E2E tests
     }
     for var, default in env_defaults.items():