refactor(config): export isJwtSecretWeak — dedupe JWT weakness predicate

[PierreBrisorgueil]

Summary

• Extracts the JWT weakness predicate (empty / whitespace / <32 chars / known default) from the inline expression inside validateJwtSecret into an exported isJwtSecretWeak(secret) helper in lib/helpers/config.js
• Removes the private JWT_DEFAULTS Set + duplicated jwtInsecure expression from modules/home/services/home.service.js; both call sites now import and use the single canonical helper
• JWT_DEFAULT_SECRETS is now exported (frozen with Object.freeze) for exhaustive test coverage
• Zero behavior change: all existing validateJwtSecret + home-readiness tests stay green; new config.isJwtSecretWeak unit tests cover every case (empty, null, whitespace, <32-char, each known default, strong secret)

Test plan

• npm run lint — no issues
• npm run test:unit — 128 suites / 1777 tests, all passing
• New lib/helpers/tests/config.isJwtSecretWeak.unit.tests.js — 15 tests covering full predicate matrix
• Extended modules/home/tests/home.service.unit.tests.js — 3 new security-row tests asserting correct delegation to shared helper
• Pre-push /critical-review --via deepseek — Verdict: OK (no blockers; 2 nits addressed before commit)

Closes #3792

[coderabbitai]

Warning

Review limit reached

@PierreBrisorgueil, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 34 minutes and 21 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6a7337c1-a4e4-4b11-bb83-98336ed4bbf3

📥 Commits

Reviewing files that changed from the base of the PR and between fbba499 and 7d3e23a.

📒 Files selected for processing (4)

• lib/helpers/config.js
• lib/helpers/tests/config.isJwtSecretWeak.unit.tests.js
• modules/home/services/home.service.js
• modules/home/tests/home.service.unit.tests.js

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch refactor/jwt-weakness-predicate-dedup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 90.29%. Comparing base (fbba499) to head (7d3e23a).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3799   +/-   ##
=======================================
  Coverage   90.29%   90.29%           
=======================================
  Files         152      152           
  Lines        5038     5038           
  Branches     1603     1602    -1     
=======================================
  Hits         4549     4549           
  Misses        385      385           
  Partials      104      104           

Flag	Coverage Δ
integration	59.01% <80.00%> (ø)
unit	69.86% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

---

Continue to review full report in Codecov by Harness.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update fbba499...7d3e23a. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull request overview

This PR deduplicates the JWT “weak/default secret” predicate by introducing a canonical isJwtSecretWeak(secret) helper (and exporting the default-secret list) from lib/helpers/config.js, then updating Home’s readiness report to call that shared helper instead of maintaining its own copy. It also adds focused unit tests to lock in the behavior matrix and prevent drift.

Changes:

• Added isJwtSecretWeak(secret) (and exported JWT_DEFAULT_SECRETS) in lib/helpers/config.js; validateJwtSecret now delegates to the helper.
• Removed duplicated JWT-default/weakness logic in modules/home/services/home.service.js in favor of the shared helper.
• Added/extended unit tests covering the full predicate matrix and readiness behavior.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
lib/helpers/config.js	Exports canonical JWT weakness predicate + default-secret set; validateJwtSecret delegates to it.
modules/home/services/home.service.js	Replaces local JWT-default predicate with shared isJwtSecretWeak.
lib/helpers/tests/config.isJwtSecretWeak.unit.tests.js	New unit tests covering weak/strong cases and all default placeholders.
modules/home/tests/home.service.unit.tests.js	Adds readiness-row tests for JWT security status/message behavior.