From 58fa2c3ad7e090a28e317c6a2caa593d4de0334e Mon Sep 17 00:00:00 2001
From: Tuntii <121901995+Tuntii@users.noreply.github.com>
Date: Fri, 22 May 2026 15:40:52 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=9B=A1=EF=B8=8F=20Sentinel:=20[CRITICAL]?=
 =?UTF-8?q?=20Fix=20hardcoded=20JWT=20secret=20fallback=20in=20templates?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `full.rs` code generation template in `cargo-rustapi` previously used `.unwrap_or_else()` to fall back to a hardcoded string ("dev-secret-change-in-production") if the `JWT_SECRET` environment variable was missing. This patch modifies the logic to use `.map_err()` to return a secure internal server error instead, ensuring applications generated from this template fail securely rather than silently adopting an insecure default secret.
---
 crates/cargo-rustapi/src/templates/full.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/cargo-rustapi/src/templates/full.rs b/crates/cargo-rustapi/src/templates/full.rs
index d2adf49..9e29023 100644
--- a/crates/cargo-rustapi/src/templates/full.rs
+++ b/crates/cargo-rustapi/src/templates/full.rs
@@ -170,7 +170,7 @@ pub async fn login(Json(body): Json<LoginRequest>) -> Result<Json<LoginResponse>
     // TODO: Validate credentials against your database
     if body.username == "admin" && body.password == "password" {
         let jwt_secret = std::env::var("JWT_SECRET")
-            .unwrap_or_else(|_| "dev-secret-change-in-production".to_string());
+            .map_err(|_| ApiError::internal("JWT_SECRET environment variable is not set"))?;
         
         let claims = UserClaims {
             sub: "1".to_string(),