Fix JWT secret validation and deployment guidance

[osama1998H]

Summary

• Reject blank, short, and known placeholder JWT_SECRET values during config load
• Require operator-supplied JWT_SECRET values in Docker Compose and update docs to use openssl rand -hex 32
• Mark security report finding 9 as remediated and add regression coverage for config validation

Type of change

• Bug fix
• Documentation update

Related issues

• Closes feat: add Helm chart and Kubernetes manifests for horizontal scaling #9

Changes

• Remove the late startup empty-only JWT_SECRET check from main and fail fast in config loading instead
• Add JWT secret normalization and placeholder detection tests to protect against weak/default secrets
• Update README, .env.example, and scaling docs to document generating one shared secret and reusing it across instances

Testing

• Unit tests added/updated
• Integration tests pass (go test ./...)
• Manually tested with docker compose up
• Not run (not requested)

Summary by CodeRabbit

• Chores

  • Pinned Go toolchain to 1.24.7 across builds and local setup.
  • Upgraded golang-migrate CLI to v4.19.1.
  • Changed default local server URL to use port 8080 (affects generated email links).
  • Adjusted CI test runtime configuration.

• Documentation

  • Updated docs to reflect Go 1.24.7 requirement.

• Tests

  • Hardened a JWT-related unit test to use a more robust tampering approach.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 01a13975-8aea-4958-8a2f-132faff75bf6

📥 Commits

Reviewing files that changed from the base of the PR and between 0c52b89 and 2faba35.

📒 Files selected for processing (1)

• pkg/token/jwt_test.go

---

📝 Walkthrough

Walkthrough

Pinning and configuration updates: default APP_BASE_URL changed to use port 8080; Go and golang-migrate tool versions pinned to 1.24.7 and v4.19.1 across Dockerfile, Makefile, and CI; CI JWT_SECRET value adjusted; a unit test’s token-tampering logic was modified; docs updated to reflect version pins.

Changes

Cohort / File(s)	Summary
Environment & Config \.env\.example	Changed APP_BASE_URL default from http://localhost:3000 to http://localhost:8080 (affects generated email links).
CI / Tooling / Build .github/workflows/ci.yml, Makefile, Dockerfile	Pinned golang-migrate to v4.19.1 (CI & Makefile), updated CI JWT_SECRET test value, and fixed builder base image to golang:1.24.7-alpine.
Documentation CONTRIBUTING.md, README.md	Updated Go requirement/version strings from 1.24 to 1.24.7+ (docs only).
Tests pkg/token/jwt_test.go	Modified tampering approach in TestMaker_VerifyAccessToken_TamperedToken to corrupt the JWT signature segment explicitly and validate token segment structure.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 A little hop between ports and pins,

8080 now greets our local wins.
Go fixed, migrate set in line,
Tests nibble signatures just fine.
Cheers — we version, tidy, and shine! ✨

🚥 Pre-merge checks | ✅ 1 | ❌ 4

❌ Failed checks (4 warnings)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title references JWT secret validation and deployment guidance, but the actual changes involve version pinning (Go, golang-migrate), environment variable updates, and documentation edits—not JWT validation code changes.	Revise the title to accurately reflect the primary changes: 'Pin Go version to 1.24.7 and golang-migrate to v4.19.1' or similar, as the JWT secret validation mentioned in the title is not implemented in these code changes.
Description check	⚠️ Warning	The description claims JWT secret validation, rejection of placeholder values, and regression tests were added, but the raw_summary shows only version pinning and environment variable updates with no JWT validation code changes present.	Update the description to match the actual changes: version pinning for Go (1.24.7) and golang-migrate (v4.19.1), environment variable updates, and documentation clarifications, removing claims about JWT secret validation code.
Linked Issues check	⚠️ Warning	Issue #9 requires Helm charts, Kubernetes manifests, HPA, PodDisruptionBudget, and security hardening, but the PR only contains version pinning, environment variable updates, and documentation changes with no Kubernetes deployment tooling.	Implement the Helm chart, Kubernetes manifests, HPA, PodDisruptionBudget, security policies, and deployment guidance described in issue #9 requirements.
Out of Scope Changes check	⚠️ Warning	All changes (Go/migrate version pinning, JWT_SECRET environment variable update, documentation) are incidental infrastructure/environment updates unrelated to the linked issue #9's Kubernetes deployment tooling requirements.	Remove version pinning and environment variable changes from this PR, or create a separate infrastructure maintenance PR; this PR should focus exclusively on Kubernetes deployment implementation from issue #9.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependency-and-sdk-drift

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

Makefile (1)

77-79: Consider pinning all setup tools consistently.

migrate is pinned to v4.19.1, but goimports and swag use @latest, allowing setup to drift over time. Stable versions are available (goimports v0.43.0, swag v1.16.3) and could be pinned for reproducibility.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Makefile` around lines 77 - 79, The Makefile currently pins migrate to
v4.19.1 but installs goimports and swag with `@latest`, which allows unpredictable
changes; update the go install lines for golang.org/x/tools/cmd/goimports and
github.com/swaggo/swag/cmd/swag to use fixed versions (e.g., goimports v0.43.0
and swag v1.16.3) instead of `@latest` so all setup tools (migrate, goimports,
swag) are consistently pinned for reproducible builds.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 49-50: The workflow currently downloads and moves the migrate
binary without verifying integrity; update the CI steps that call curl and sudo
mv (the lines downloading migrate.linux-amd64.tar.gz and moving migrate) to also
download the corresponding sha256sum.txt from the same GitHub release, verify
the tarball with sha256sum -c (or an equivalent sha256 check) before extracting,
and only proceed to tar xvz and sudo mv migrate /usr/local/bin/ if the checksum
verification succeeds; ensure you reference the release's sha256sum.txt and the
archive name migrate.linux-amd64.tar.gz when adding the verification step.

---

Nitpick comments:
In `@Makefile`:
- Around line 77-79: The Makefile currently pins migrate to v4.19.1 but installs
goimports and swag with `@latest`, which allows unpredictable changes; update the
go install lines for golang.org/x/tools/cmd/goimports and
github.com/swaggo/swag/cmd/swag to use fixed versions (e.g., goimports v0.43.0
and swag v1.16.3) instead of `@latest` so all setup tools (migrate, goimports,
swag) are consistently pinned for reproducible builds.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: ac1f425b-9ad2-4f38-b971-af13463c0364

📥 Commits

Reviewing files that changed from the base of the PR and between c3cc9df and 0c52b89.

📒 Files selected for processing (6)

• .env.example
• .github/workflows/ci.yml
• CONTRIBUTING.md
• Dockerfile
• Makefile
• README.md

[coderabbitai]

⚠️ Potential issue | 🟠 Major

❓ Verification inconclusive

Script executed:

#!/bin/bash
# Verify release assets available for the pinned tag
set -euo pipefail
gh api repos/golang-migrate/migrate/releases/tags/v4.19.1 --jq '.assets[].name'

Repository: osama1998H/uniauth

---

Repository: osama1998H/uniauth
Exit code: 1

stdout:

{
  "message": "Bad credentials",
  "documentation_url": "https://docs.github.com/rest",
  "status": "401"
}

stderr:

gh: Bad credentials (HTTP 401)

---

Script executed:

# Check migrate v4.19.1 release assets via GitHub API
curl -s "https://api.github.com/repos/golang-migrate/migrate/releases/tags/v4.19.1" | jq -r '.assets[] | .name' 2>/dev/null | head -20

Repository: osama1998H/uniauth

---

Repository: osama1998H/uniauth
Exit code: 0

stdout:

migrate-4.19.1.zip
migrate.darwin-amd64.tar.gz
migrate.darwin-arm64.tar.gz
migrate.linux-386.deb
migrate.linux-386.tar.gz
migrate.linux-amd64.deb
migrate.linux-amd64.tar.gz
migrate.linux-arm64.deb
migrate.linux-arm64.tar.gz
migrate.linux-armv7.deb
migrate.linux-armv7.tar.gz
migrate.windows-386.zip
migrate.windows-amd64.zip
migrate.windows-arm64.zip
migrate.windows-armv7.zip
sha256sum.txt

---

Script executed:

# Also inspect the actual workflow file to see full context around lines 49-50
cat -n .github/workflows/ci.yml | sed -n '40,60p'

Repository: osama1998H/uniauth

---

Repository: osama1998H/uniauth
Exit code: 0

stdout:

    40	      - uses: actions/checkout@v4
    41	
    42	      - uses: actions/setup-go@v5
    43	        with:
    44	          go-version-file: go.mod
    45	          cache: true
    46	
    47	      - name: Install migrate
    48	        run: |
    49	          curl -L https://github.com/golang-migrate/migrate/releases/download/v4.19.1/migrate.linux-amd64.tar.gz | tar xvz
    50	          sudo mv migrate /usr/local/bin/
    51	
    52	      - name: Run migrations
    53	        run: migrate -path migrations -database "postgres://uniauth:uniauth@localhost:5432/uniauth_test?sslmode=disable" up
    54	
    55	      - name: Run tests
    56	        env:
    57	          DATABASE_URL: postgres://uniauth:uniauth@localhost:5432/uniauth_test?sslmode=disable
    58	          REDIS_URL: redis://localhost:6379/0
    59	          JWT_SECRET: test-secret-key-for-ci-32-charsx
    60	        run: go test ./... -race -timeout 120s

---

Fix checksum verification for migrate binary download.

The workflow downloads the migrate binary without integrity verification, which creates a supply-chain risk. The GitHub release provides a sha256sum.txt file for verification.

🔐 Suggested hardening patch

-          curl -L https://github.com/golang-migrate/migrate/releases/download/v4.19.1/migrate.linux-amd64.tar.gz | tar xvz
-          sudo mv migrate /usr/local/bin/
+          MIGRATE_VERSION=v4.19.1
+          ARCHIVE=migrate.linux-amd64.tar.gz
+          curl -fsSLo "$ARCHIVE" "https://github.com/golang-migrate/migrate/releases/download/${MIGRATE_VERSION}/${ARCHIVE}"
+          curl -fsSLo sha256sum.txt "https://github.com/golang-migrate/migrate/releases/download/${MIGRATE_VERSION}/sha256sum.txt"
+          grep " ${ARCHIVE}$" sha256sum.txt | sha256sum -c -
+          tar -xzf "$ARCHIVE" migrate
+          sudo install -m 0755 migrate /usr/local/bin/migrate

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	curl -L https://github.com/golang-migrate/migrate/releases/download/v4.19.1/migrate.linux-amd64.tar.gz | tar xvz
	sudo mv migrate /usr/local/bin/
	MIGRATE_VERSION=v4.19.1
	ARCHIVE=migrate.linux-amd64.tar.gz
	curl -fsSLo "$ARCHIVE" "https://github.com/golang-migrate/migrate/releases/download/${MIGRATE_VERSION}/${ARCHIVE}"
	curl -fsSLo sha256sum.txt "https://github.com/golang-migrate/migrate/releases/download/${MIGRATE_VERSION}/sha256sum.txt"
	grep " ${ARCHIVE}$" sha256sum.txt | sha256sum -c -
	tar -xzf "$ARCHIVE" migrate
	sudo install -m 0755 migrate /usr/local/bin/migrate

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/ci.yml around lines 49 - 50, The workflow currently
downloads and moves the migrate binary without verifying integrity; update the
CI steps that call curl and sudo mv (the lines downloading
migrate.linux-amd64.tar.gz and moving migrate) to also download the
corresponding sha256sum.txt from the same GitHub release, verify the tarball
with sha256sum -c (or an equivalent sha256 check) before extracting, and only
proceed to tar xvz and sudo mv migrate /usr/local/bin/ if the checksum
verification succeeds; ensure you reference the release's sha256sum.txt and the
archive name migrate.linux-amd64.tar.gz when adding the verification step.