Go Restful API Boilerplate: Hardcoded JWT Secret "random" Allows Token Forgery
The JWT signing secret is hardcoded to the string "random" in two independent locations: dev.env:10 — The template .env file sets AUTH_JWT_SECRET=random. Every developer who copies this template gets the same default. cmd/serve.go:35 — viper.SetDefault("auth_jwt_secret", "random") provides a programmatic fallback. Even if the .env file is missing entirely, the application silently starts with "random" as the signing key. The original code contained a mitigation in auth/jwt/tokenauth.go:22-25 that checked if the …