From 8a30c82c6de4541b02829d10046fc5b9db96d366 Mon Sep 17 00:00:00 2001
From: Hugh Brown <hughdbrown@yahoo.com>
Date: Tue, 3 Mar 2026 13:40:27 -0700
Subject: [PATCH] security: remove hardcoded auth token from committed
 .env.test

The file contained a publicly known LOCAL_AUTH_TOKEN value that could
be used against misconfigured deployments. Replace with an empty value
and a comment showing how to generate a secure token. The test suite
continues to work via conftest.py which sets its own test-only token.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 backend/.env.test | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/backend/.env.test b/backend/.env.test
index 2d22385a..f401d0ef 100644
--- a/backend/.env.test
+++ b/backend/.env.test
@@ -17,8 +17,9 @@ BASE_URL=http://localhost:8000
 
 # Auth mode: local for test/dev
 AUTH_MODE=local
-# Must be non-placeholder and >= 50 chars
-LOCAL_AUTH_TOKEN=test-local-token-0123456789-0123456789-0123456789x
+# Must be non-placeholder and >= 50 chars.
+# Generate with: python3 -c "import secrets; print(secrets.token_urlsafe(48))"
+LOCAL_AUTH_TOKEN=
 
 # Clerk settings kept empty in local auth mode
 CLERK_SECRET_KEY=