I don’t know enough about Lemmy’s JWT design, but some JWT designs don’t store the JWT in a database at all, so the only correct response is to regenerate the secret and kill all the sessions by them failing the validity checks.

No, you said you can’t generate valid tokens within the database. I just told you this is the secret, not the tokens (that is present in the database).

This is the secret, not the tokens.

Hm… They could’ve edited the config or just exit(1) if the credential is the default, but very fair.

Oof, okay well that’s not how I would’ve done it. The JWT secret in the database itself could be a vulnerability (e.g., someone that gains read only access to the database could then use that as a wedge to create any JWT they wanted). I’m not sure if that’s actually worth bringing up or not (it’s a bit of an odd case).

JWT secret keys are not in the DB (speaking typically, maybe for Lemmy they are, but that would be very surprising), that’s typically an environment variable or configuration file sort of thing.

In any case, this isn’t the part that’s broken, it doesn’t need fixed.