You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
fix: remove hardcoded secrets and use cryptographic randomness
CRITICAL fixes:
- Remove hardcoded private key from .env.test, add to .gitignore
- Remove hardcoded JWT fallback secrets — fail if JWT_SECRET not set
- Replace Math.random() challenge generation with crypto.randomBytes()
(server) and crypto.getRandomValues() (browser)
Note: the committed private key d217c1ff...ceecf should be considered
compromised and rotated. Use git-filter-branch or BFG to remove from
history if needed.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
0 commit comments