lib/jwt.ts falls back to a hardcoded secret and a live legacy session route trusts a bearer cookie — token forgery

[3m1n3nc3]

Description

app/lib/jwt.ts signs and verifies tokens with a publicly known constant whenever NEXTAUTH_SECRET is unset:

const secret = new TextEncoder().encode(
  process.env.NEXTAUTH_SECRET || "your-secret-key-change-in-production",
);

This is a parallel token system to the NextAuth session the UI actually uses. The deprecated-but-still-live GET /api/.../(auth)/session route verifies a token taken from the Authorization header or a token/auth-token cookie via this module and returns full user data. In any deployment missing NEXTAUTH_SECRET, an attacker can forge a token for any user and read their data through this route. (Note: lib/auth-config.ts was already fixed to use process.env.NEXTAUTH_SECRET with no fallback — lib/jwt.ts still has the footgun.)

More info

• File: app/lib/jwt.ts (approx. lines 3-5)
• File: app/app/(auth)/session/route.ts (cookie/bearer token path, approx. line 18)
• Remove the hardcoded fallback and fail fast at startup if NEXTAUTH_SECRET is missing.
• Remove the legacy session route and the token/auth-token cookie path, or reconcile it with the NextAuth session model.
• Add a CI check ensuring NEXTAUTH_SECRET is present in production config.

[Menjay7]

Hi! I came across this issue and would love to work on it. I have experience with similar tasks and I'm confident I can investigate, implement a clean solution, and thoroughly test it before submitting a PR. If the issue is still open, I would appreciate it if you could assign it to me. Thank you!

[HassanKorey]

@HassanKorey has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Hi, maintainer. Kindly assign me this task.

ℹ️ Repo Maintainers: To accept this application, review their application or assign @HassanKorey to this issue.

[Ajibose]

@Ajibose has applied to work on this issue as part of the Stellar Wave Program's 6th wave.

Can i work on this, Maintainer

ℹ️ Repo Maintainers: To accept this application, review their application or assign @Ajibose to this issue.

[drips-wave]

Congratulations, @HassanKorey! 🎉 Your application was accepted by the repo's maintainers, and the issue is due on June 30, 2026.

🧑‍💻 @HassanKorey: Please resolve the issue such that the repo's maintainers have enough time to review your contribution before the due date. You'll earn Points for completing the issue on-time, which will make you eligible for a share of the Stellar Wave Program's reward pool.

Warning

When opening a PR, please link it to this issue to ensure it gets tracked accurately. Points are awarded when this issue is marked as completed by the maintainer.

🤠 Repo maintainers: Please keep an eye on the contributor's progress and review their work before the due date. You can manage this issue, including adjusting its complexity and points, here.

🌊 Happy Wave 🌊