From 1803fdf16a1904232a50b971d536a44ec1355b89 Mon Sep 17 00:00:00 2001
From: vbv-18 <shafariens23@gmail.com>
Date: Sun, 2 Mar 2025 20:36:54 +0100
Subject: [PATCH] Fix a hardcoded password

---
 .../java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
index 4efc9db0..5d86f8f2 100644
--- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
+++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTRefreshEndpoint.java
@@ -59,7 +59,7 @@
 public class JWTRefreshEndpoint extends AssignmentEndpoint {
 
   public static final String PASSWORD = "bm5nhSkxCXZkKRy4";
-  private static final String JWT_PASSWORD = "bm5n3SkxCX4kKRy4";
+  private static final String JWT_PASSWORD = System.getenv("JWT_SECRET");
   private static final List<String> validRefreshTokens = new ArrayList<>();
 
   @PostMapping(