From c53d441c6941ca8bcb6a0535b62418f70fee52af Mon Sep 17 00:00:00 2001
From: Claude Dev <claude-dev@aegis-sight.de>
Date: Sun, 29 Mar 2026 13:53:17 +0200
Subject: [PATCH] fix: JWT_SECRET lazy-validiert statt beim Import
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

config.py: get_jwt_secret() wirft RuntimeError nur bei Nutzung,
nicht beim Import. Blog-Pipeline kann importieren ohne JWT_SECRET,
Monitor bleibt geschützt.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 src/auth.py   |  6 +++---
 src/config.py | 11 ++++++++++-
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/src/auth.py b/src/auth.py
index d79148e..ee017bb 100644
--- a/src/auth.py
+++ b/src/auth.py
@@ -4,7 +4,7 @@ from datetime import datetime, timedelta
 from jose import jwt, JWTError
 from fastapi import Depends, HTTPException, status
 from fastapi.security import HTTPBearer, HTTPAuthorizationCredentials
-from config import JWT_SECRET, JWT_ALGORITHM, JWT_EXPIRE_HOURS, TIMEZONE
+from config import get_jwt_secret, JWT_ALGORITHM, JWT_EXPIRE_HOURS, TIMEZONE
 
 security = HTTPBearer()
 
@@ -36,7 +36,7 @@ def create_token(
         "iat": now,
         "exp": expire,
     }
-    return jwt.encode(payload, JWT_SECRET, algorithm=JWT_ALGORITHM)
+    return jwt.encode(payload, get_jwt_secret(), algorithm=JWT_ALGORITHM)
 
 
 def decode_token(token: str) -> dict:
@@ -44,7 +44,7 @@ def decode_token(token: str) -> dict:
     try:
         payload = jwt.decode(
             token,
-            JWT_SECRET,
+            get_jwt_secret(),
             algorithms=[JWT_ALGORITHM],
             issuer=JWT_ISSUER,
             audience=JWT_AUDIENCE,
diff --git a/src/config.py b/src/config.py
index b8ae665..68936ce 100644
--- a/src/config.py
+++ b/src/config.py
@@ -13,7 +13,16 @@ STATIC_DIR = os.path.join(os.path.dirname(os.path.abspath(__file__)), "static")
 DB_PATH = os.path.join(DATA_DIR, "osint.db")
 
 # JWT
-JWT_SECRET = os.environ.get("JWT_SECRET", "")
+_JWT_SECRET = os.environ.get("JWT_SECRET", "")
+def get_jwt_secret() -> str:
+    """Gibt JWT_SECRET zurück. Wirft RuntimeError wenn nicht gesetzt."""
+    if not _JWT_SECRET:
+        raise RuntimeError("JWT_SECRET Umgebungsvariable muss gesetzt sein")
+    return _JWT_SECRET
+
+
+# Rückwärtskompatibel für direkte Imports
+JWT_SECRET = _JWT_SECRET
 JWT_ALGORITHM = "HS256"
 JWT_EXPIRE_HOURS = 24