perl – Serve and Authenticate via JWT tokens via Mojo::JWT

Hello fellow Perl hackers,

I have been faffing about with Mojo::JWT the last day or two and feel I have come up with something that should securely serve a JWT token to authenticate a user.

As my moniker suggests, this is all pretty new to me. Therefore I look for feedback on the security of this implementation (apart from the obvious hardcoded username/password pair) and ways that I could trim the lines of code.

I have discovered under in Mojolicious to restrict routes, however as I am using OpenAPI, is there an equivalent to this.

Further, which would be good candidates to use for helpers? And while on the subject of helpers. What would be the difference in just using other sub-routines, sans the helper keyword.

I generated Mojo app via mojo generate app appname and follows is the Controller that I have created for the OpenAPI endpoints.
I have been using curl to test these endpoints and these work as expected.

package mojojwtauth::Controller::Example;
use Mojo::Base 'Mojolicious::Controller', -signatures;
use Mojo::JSON qw(decode_json encode_json);
use Mojo::JWT;

sub restricted {
  # Validate input request or return an error document
  my $self = shift->openapi->valid_input or return;
  
  # get token from authorization header
  my $jwt = $self->req->headers->authorization =~ s/^s*S+s*//r;
  # decode token
  eval { my $claims = Mojo::JWT->new(secret => 's3cr3t')->decode($jwt)};
  if ($@) {
    $self->render(openapi => (
      json => {error => 'Access Denied: Restricted Area'},
      status => 401
      )
    );
  } else {
    $self->render(openapi => (
      json => {success => 'Access Granted'},
      status => 200
      )
    );
  }  
}

sub get_token {
  # Validate input request or return an error document
  my $self = shift->openapi->valid_input or return;
  
  # check if username and passord is equal to hardcoded variables
  my $data = $self->req->json;
  if($data->{username} eq "philip" && $data->{password} eq "secret" ) {
      
    #  create token
    my $exp = time() + 86400;
    my $payload = {id => 1, 
                   exp => $exp,
                   iss => 'Mojolicious API'};
    my $jwt = Mojo::JWT->new(claims => $payload, secret => 's3cr3t')->encode;
    
    # Return useful info from database query when doing real password check
    my $user = {id => 1,
                name => $data->{username},
                username => $data->{username}};

    # Return token and user data
    $self->render(openapi => (
      json => { token => $jwt,
                user => $user },
      status => 200
      )
    );
  } else {
    # else return error
    $self->render(openapi => (
      json => {error => 'Invalid Username or Password'},
      status => 200
      )
    );
  }
}

1;

I am really new to this so please any feedback is greatly appreciated.