Summary

The embedded config.yaml shipped in every binary contains hardcoded production credentials that are identical across all deployments:

• JWT Secret — allows forging tokens for any user
• MySQL/Postgres passwords — database access
• MinIO access/secret keys — object storage access
• Zinc, MeiliSearch, OpenObserve passwords and API keys — search/log infrastructure access
• Alipay RSA private key — payment signing key

Additionally, ParseToken() does not verify the JWT signing algorithm.

Changes

• internal/conf/config.yaml: Replaced all hardcoded secrets with empty strings
• internal/conf/conf.go: Added startup validation that exits with error if JWT Secret is not configured
• pkg/app/jwt.go: Added HMAC algorithm verification in ParseToken() callback

Test plan

• Config loads without JWT secret → exits with fatal error
• JWT tokens work with properly configured secret
• Tokens signed with non-HMAC algorithms are rejected

🤖 Generated with Claude Code