2 files changed, 18 insertions, 6 deletions

diff --git a/backend/auth/jwt.go b/backend/auth/jwt.go
index 510656b..13af837 100644
--- a/backend/auth/jwt.go
+++ b/backend/auth/jwt.go
@@ -2,6 +2,7 @@ package auth
 
 import (
 	"errors"
+	"os"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
@@ -9,6 +10,17 @@ import (
 	"github.com/nsfisis/iosdc-japan-2024-albatross/backend/db"
 )
 
+var (
+	jwtSecret []byte
+)
+
+func init() {
+	jwtSecret = []byte(os.Getenv("ALBATROSS_JWT_SECRET"))
+	if len(jwtSecret) == 0 {
+		panic("ALBATROSS_JWT_SECRET is not set")
+	}
+}
+
 type JWTClaims struct {
 	UserID      int     `json:"user_id"`
 	Username    string  `json:"username"`
@@ -30,7 +42,7 @@ func NewJWT(user *db.User) (string, error) {
 		},
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString([]byte("TODO"))
+	return token.SignedString(jwtSecret)
 }
 
 func NewAnonymousJWT() (string, error) {
@@ -38,7 +50,7 @@ func NewAnonymousJWT() (string, error) {
 		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Minute * 5)),
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, claims)
-	return token.SignedString([]byte("TODO"))
+	return token.SignedString(jwtSecret)
 }
 
 func NewShortLivedJWT(claims *JWTClaims) (string, error) {
@@ -53,13 +65,13 @@ func NewShortLivedJWT(claims *JWTClaims) (string, error) {
 		},
 	}
 	token := jwt.NewWithClaims(jwt.SigningMethodHS256, newClaims)
-	return token.SignedString([]byte("TODO"))
+	return token.SignedString(jwtSecret)
 }
 
 func ParseJWT(token string) (*JWTClaims, error) {
 	claims := new(JWTClaims)
 	t, err := jwt.ParseWithClaims(token, claims, func(*jwt.Token) (interface{}, error) {
-		return []byte("TODO"), nil
+		return jwtSecret, nil
 	})
 	if err != nil {
 		return nil, err
diff --git a/backend/main.go b/backend/main.go
index c01394b..3296957 100644
--- a/backend/main.go
+++ b/backend/main.go
@@ -89,10 +89,10 @@ func main() {
 
 	// For local dev: This is never used in production because the reverse
 	// proxy sends /login and /logout to the app server.
-	e.GET("/login", func(c echo.Context) error {
+	e.GET("/iosdc-japan/2024/code-battle/login", func(c echo.Context) error {
 		return c.Redirect(http.StatusPermanentRedirect, "http://localhost:5173/iosdc-japan/2024/code-battle/login")
 	})
-	e.POST("/logout", func(c echo.Context) error {
+	e.POST("/iosdc-japan/2024/code-battle/logout", func(c echo.Context) error {
 		return c.Redirect(http.StatusPermanentRedirect, "http://localhost:5173/iosdc-japan/2024/code-battle/logout")
 	})