Remove hardcoded default JWT secret key and database password

[saaa99999999]

Summary

ruoyi-fastapi-backend/config/env.py contained a hardcoded default JWT signing key and a hardcoded default database password, allowing anyone with access to the repository source code to:

1. Forge valid JWT tokens for any user and gain administrative access
2. Connect to the database using known default credentials

Changes

• Removed hardcoded jwt_secret_key default value (was 'b01c66dc2c58dc6a0aabfe2144256be36226de378bf87f72c0c795dda67f4d55')
• Removed hardcoded db_password default value (was 'mysqlroot')
• Both now default to empty string and can be set via environment variables (JWT_SECRET_KEY, DB_PASSWORD) or .env files

Fixed Vulnerability

• CWE-798: Use of Hard-coded Credentials — JWT signing key and database password were hardcoded in version-controlled source code

Test plan

• Set JWT_SECRET_KEY env var or .env value, verify JWT auth works
• Set DB_PASSWORD env var or .env value, verify database connection works
• Verify application fails to validate tokens correctly when JWT key is not configured

[saaa99999999]

CVE Request

This PR fixes CWE-798 (Use of Hard-coded Credentials): the JWT signing key was hardcoded in config/env.py, allowing attackers with source code access to forge valid JWT tokens for any user and gain administrative access to the RuoYi management system. A hardcoded database password default was also removed. The severity is Critical (CVSS 3.1: 9.1 — AV:N/AC:L/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N).

Could you please request a CVE via GitHub Security Advisory for this vulnerability?