[Security]: Hardcoded JWT secret and authentication bypass vulnerabilities

[vipul674]

Summary

Two critical security vulnerabilities exist in the authentication layer:

1. Hardcoded JWT Secret (src/middleware/authMiddleware.js:3): The JWT signing secret is hardcoded as "jwt_secret_key" in source code. Anyone with repo access can forge valid tokens and bypass authentication entirely.

2. Authentication Bypass (server.js:716-738): The requireSupabaseAuth middleware skips JWT verification when SUPABASE_JWT_SECRET is not set. An attacker can send any arbitrary Bearer token and the request is accepted without cryptographic validation.

Steps to reproduce

1. Start the server without setting SUPABASE_JWT_SECRET environment variable
2. Send a POST request to /process-from-url with header Authorization: Bearer any-random-string
3. The request is accepted and processed without valid JWT verification

Expected behavior

The server should reject requests with invalid or missing JWT tokens, even when SUPABASE_JWT_SECRET is not configured. The hardcoded JWT secret should be read from environment variables, not source code.

Actual behavior

When SUPABASE_JWT_SECRET is not set, the middleware accepts any Bearer token without verification. The hardcoded JWT secret is committed to the repository, making it accessible to anyone with read access.

Additional context

• Severity: Critical (CVSS 9.1 - Network/Low/None/Changed/High/High)
• CWE: CWE-798 (Use of Hard-coded Credentials), CWE-287 (Improper Authentication)
• Affected files: src/middleware/authMiddleware.js, server.js

---

GSSoC '26 Assignment Request

"I'd like to work on this — contributing under GSSoC'26"

[vipul674]

/claim

[vipul674]

@FireFistisDead I have tested the project and found a bug, can you please assign me this issue

[Namraa310806]

@vipul674 Already Done
Check #298

[vipul674]

Thanks for pointing to #298. I checked it, and that PR fixes the hardcoded JWT secret in authMiddleware.js, but the authentication bypass in server.js still remains when SUPABASE_JWT_SECRET is unset. So #342 is only partially overlapping, not a full duplicate.

[smirk-dev]

Hi! I'd like to work on fixing the remaining auth bypass vulnerability as part of GSSoC 2026.

Based on the thread, PR #298 handles the hardcoded JWT secret in authMiddleware.js, but the requireSupabaseAuth function in server.js (lines 716-738) still silently skips verification when SUPABASE_JWT_SECRET is not set, which means any Bearer token gets accepted.

My fix for this remaining issue:

• Add an explicit startup check: if SUPABASE_JWT_SECRET is missing, throw an error and refuse to start rather than falling back to a pass-through
• In requireSupabaseAuth, if the env var is not present at request time, return HTTP 500 with a server misconfiguration message instead of silently passing the request through
• Add a test case that sends a request with a random Bearer token when the secret is unset and confirms the server rejects it

I work with Node.js backends and have experience with JWT authentication patterns. Could you assign this to me?