cube-js-jwt-dev-fallback-key-is-publicly-known

The development fallback value for CUBEJS_API_SECRET is a well-known public string used in Cube.js docs and tutorials. Any JWT signed with it in production is trivially forgeable. The signing function must explicitly refuse to use the dev fallback when ENV=production, raising an error rather than proceeding.

Related

• cubejs-jwt-pattern-hs256-5min-exp-issuer-locked
• module-level-env-reads-with-dev-fallback-bypass-runtime-conf
• cube-query-uses-5min-hs256-jwt-with-security-context
• snowflake
• column-mask-reapply-on-cached-results