From 014e8c16cd28a5ac877cf025bb3d979fe4c476a0 Mon Sep 17 00:00:00 2001
From: AnyTng <44723227+AnyTng@users.noreply.github.com>
Date: Mon, 6 Apr 2026 22:06:55 +0000
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20fix:=20remove=20hardcoded=20JWT?=
 =?UTF-8?q?=20secret?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Removed hardcoded `JwtSettings:Secret` from `appsettings.json` and replaced it with a placeholder to prevent sensitive credential exposure.
- Removed hardcoded fallback secret from `Program.cs`.
- Added runtime check in `Program.cs` to ensure the application fails fast if the JWT secret is missing, is the default placeholder, or is less than 32 characters long.
---
 backend/RESTful API/Program.cs       | 8 ++++++--
 backend/RESTful API/appsettings.json | 2 +-
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/backend/RESTful API/Program.cs b/backend/RESTful API/Program.cs
index 7edbabe..f54369c 100644
--- a/backend/RESTful API/Program.cs	
+++ b/backend/RESTful API/Program.cs	
@@ -16,8 +16,12 @@
 var builder = WebApplication.CreateBuilder(args);
 
 // Configurar JWT
-var key = Encoding.ASCII.GetBytes(
-    builder.Configuration["JwtSettings:Secret"] ?? "chave-super-secreta");
+var jwtSecret = builder.Configuration["JwtSettings:Secret"];
+if (string.IsNullOrEmpty(jwtSecret) || jwtSecret == "YOUR_JWT_SECRET_KEY_HERE_MIN_32_CHARS" || jwtSecret.Length < 32)
+{
+    throw new InvalidOperationException("A valid JWT Secret must be configured in JwtSettings:Secret. The secret must be at least 32 characters long and not the default placeholder.");
+}
+var key = Encoding.ASCII.GetBytes(jwtSecret);
 
 // Connection string
 var connectionString = builder.Configuration.GetConnectionString("DefaultConnection");
diff --git a/backend/RESTful API/appsettings.json b/backend/RESTful API/appsettings.json
index 9f59bc9..bc6a6ed 100644
--- a/backend/RESTful API/appsettings.json	
+++ b/backend/RESTful API/appsettings.json	
@@ -8,7 +8,7 @@
   "AllowedHosts": "*",
 
   "JwtSettings": {
-    "Secret": "S3gr3d0SuperSeguroComMaisDe32Caracteres"
+    "Secret": "YOUR_JWT_SECRET_KEY_HERE_MIN_32_CHARS"
   },
 
   "ConnectionStrings": {