From dac884c4fe0614c53be26e64c2554aee91d535af Mon Sep 17 00:00:00 2001
From: Patrick Plate <pplate@fedora.fritz.box>
Date: Sat, 13 Jun 2026 10:08:34 +0200
Subject: [PATCH] fix(deploy): use valid base64 JWT secret in docker-compose

After a successful login the backend returned HTTP 500:
io.jsonwebtoken.io.DecodingException: Illegal base64 character: '-'.
JwtService.getSigningKey() does Decoders.BASE64.decode(secret) before building
the HMAC key (JJWT 0.12 convention). The compose secret was the plaintext
'docker-dev-secret-key-minimum-32-characters-long-for-hmac', which contains
hyphens and is not valid base64, so token signing threw once auth succeeded.

Replace with a proper base64 value (openssl rand -base64 48). The base
application.properties default was already correctly base64-encoded; only the
docker override was wrong.
---
 docker-compose.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker-compose.yml b/docker-compose.yml
index 8963d43..9466c4e 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -28,7 +28,10 @@ services:
       SPRING_DATASOURCE_URL: jdbc:postgresql://db:5432/cannamanage
       SPRING_DATASOURCE_USERNAME: cannamanage
       SPRING_DATASOURCE_PASSWORD: cannamanage_dev
-      CANNAMANAGE_SECURITY_JWT_SECRET: docker-dev-secret-key-minimum-32-characters-long-for-hmac
+      # JwtService base64-decodes this secret (Decoders.BASE64.decode) before using it as the
+      # HMAC-SHA key. It MUST be valid base64 — a plaintext string with hyphens throws
+      # "Illegal base64 character: '-'" at token-signing time (HTTP 500 after a successful login).
+      CANNAMANAGE_SECURITY_JWT_SECRET: hmSULRhmFYcOXDwYxb7bGXp7Bovh+hXgua/VqF44Ts/N+8YELWpWiqQ+aLrymCuM
     depends_on:
       db:
         condition: service_healthy