replace static secrets with enviroment variables

handlers/login.go

@@ -16,9 +16,9 @@ import (
 // 🔐 AUTHENTICATION CONSTANTS
 // -----------------------------
 
-// JWT secrets (replace "*" with strong random values in production!)
-var ACCESS_SECRET = []byte("ShFRprALcXjlosJ2hFCnGYGG3Ce2uRx6")
-var REFRESH_SECRET = []byte("pQIjuX6g6Tzf0FEfdScxttT3hlL9NFaa")
+// JWT secrets
+var ACCESS_SECRET []byte
+var REFRESH_SECRET []byte
 
 // DOMAIN defines where cookies are valid. Change this in production.
 var DOMAIN = "localhost"