[management-api] Should jwt.secret be a required value

[pf-mike-breaton]

Happened to find the following messages in my api logs and was wondering what its implications are:

23:17:03.904 [graviteeio-node] WARN  i.g.m.s.c.BasicSecurityConfigurerAdapter - ##############################################################
23:17:03.904 [graviteeio-node] WARN  i.g.m.s.c.BasicSecurityConfigurerAdapter - #                      SECURITY WARNING                      #
23:17:03.904 [graviteeio-node] WARN  i.g.m.s.c.BasicSecurityConfigurerAdapter - ##############################################################
23:17:03.905 [graviteeio-node] WARN  i.g.m.s.c.BasicSecurityConfigurerAdapter -
23:17:03.905 [graviteeio-node] WARN  i.g.m.s.c.BasicSecurityConfigurerAdapter - You still use the default jwt secret.
23:17:03.905 [graviteeio-node] WARN  i.g.m.s.c.BasicSecurityConfigurerAdapter - This known secret can be used to impersonate anyone.
23:17:03.905 [graviteeio-node] WARN  i.g.m.s.c.BasicSecurityConfigurerAdapter - Please change this value, or ask your administrator to do it !

It seems setting a jwt.secret cfg value resolves.

Expected Behavior

Shouldn't the absence of this variable force the api to exit initialization with an appropriate error message?

Current Behavior

If default value is not overridden, only a warning is displayed in the logs

Possible Solution

Cause the API to fail to start if an appropriate secret is not provided. Display appropriate reason on logs

Steps to Reproduce (for bugs)

Your Environment

• Version used: 1.30.7
• Operating System and version: Docker/kubernetes

[brasseld]

Yes, jwt.secret is a required value.

So yes, it should force to exit, you are right!

[pf-mike-breaton]

Thanks, will this be addressed in a future release?

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.