fix: require explicit production jwt secrets

[sahilsultane]

Summary

This PR fixes insecure JWT secret fallback behavior across authentication-related modules.

Closes #10

What Changed

• Added centralized JWT secret validation helper

• Removed unsafe default JWT secrets in production mode

• Added validation for:

  • missing secrets
  • weak secrets
  • known default/dev secrets

• Preserved development-mode compatibility with warnings/ephemeral secrets

• Updated:

  • core/auth.js
  • core/realtime.js
  • core/enterpriseAuth.js

• Added comprehensive test coverage for production and development scenarios

• Updated .env.example with stronger secret guidance

Testing

Successfully passed:

• npm test
• npm run typecheck
• npm run verify

Security Impact

Production deployments now fail fast when insecure JWT secrets are configured, preventing predictable-token vulnerabilities caused by framework default secrets.

GSSoC 2026

Please add:

*gssoc
*gssoc-approved
*quality clean
*security
*enhancement
*level: critical

[thunderavi]

Hi @sahilsultane, thanks for the PR. The overall approach is good and CI is passing, but I found one security blocker before merge.

In .env.example, these placeholder secrets are added:

REFRESH_TOKEN_SECRET=your-refresh-secret-here-change-in-production
JWT_REFRESH_SECRET=your-jwt-refresh-secret-here-change-in-production

Right now validateJwtSecret() accepts both in production because they are longer than 32 characters and are not included in KNOWN_DEFAULTS.

Please fix this by either:

1. adding these exact placeholder values to KNOWN_DEFAULTS, or
2. adding generic placeholder detection for values like your-*, *-change-in-production, replace-me, change-this, etc.

Also add/update tests to confirm these refresh-token placeholders are rejected in production.

After this fix and green CI, we can approve and merge.

[thunderavi]

Hi @sahilsultane, thanks for updating the PR and addressing the security review feedback.

I reviewed the latest approach. The placeholder JWT secret detection is now added, the refresh-token placeholders are rejected in production, and the new tests cover the requested cases.

I also verified locally:

npm test -- tests/unit/jwtSecretValidator.test.js --runInBand
npm run verify
npm run typecheck
npm test -- --runInBand

All passed locally. Approving this PR now.

Please star the project. It is necessary for me because it helps the repository reach more contributors and supports the project visibility.

[thunderavi]

Hi @sahilsultane, your PR has been reviewed and merged. Thank you for the clean security contribution.

Please star⭐ the repository as well. It is important for me because it helps the project reach more contributors and grow in the open-source community.