Fix critical security vulnerabilities - remove hardcoded secrets

Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>

backend/routes/admin.py

@@ -31,10 +31,11 @@ def admin_required(f):
             token = auth_header.split(' ')[1] if len(auth_header.split(' ')) > 1 else None
             print(f"Extracted token: '{token}'")
             
-            # Check environment variable first, then fallback to default
+            # Check environment variable - no fallback for security
             expected_token = os.getenv('ADMIN_TOKEN')
             if not expected_token:
-                expected_token = 'admin-secret-key'
+                print("❌ ADMIN_TOKEN environment variable not set")
+                return jsonify({"error": "Server configuration error: ADMIN_TOKEN not configured"}), 500
             
             print(f"Expected token: '{expected_token}'")
             print(f"Environment ADMIN_TOKEN: '{os.getenv('ADMIN_TOKEN')}'")

backend/routes/auth.py

@@ -16,8 +16,13 @@ mongo_uri = os.getenv('MONGODB_URI', 'mongodb://localhost:27017/')
 client = MongoClient(mongo_uri)
 db = client.openlearnx
 
-# JWT secret
-JWT_SECRET = os.getenv('JWT_SECRET', 'your-secret-key-here')
+# JWT secret - must be set via environment variable
+JWT_SECRET = os.getenv('JWT_SECRET')
+if not JWT_SECRET:
+    import warnings
+    warnings.warn("JWT_SECRET environment variable not set. Using randomly generated secret.", UserWarning)
+    import secrets as _secrets
+    JWT_SECRET = _secrets.token_hex(32)
 
 @bp.route('/nonce', methods=['POST', 'OPTIONS'])
 def get_nonce():