From 5b1e6915aca40be46ee3409ce8d444fb6c09fa26 Mon Sep 17 00:00:00 2001
From: Ulas <ulas@kalayci.cloud>
Date: Fri, 3 Apr 2026 21:59:41 +0200
Subject: [PATCH] fix(security): replace hardcoded session secret fallback with
 random generation

Instead of a static 'dev-only-secret-not-for-production' fallback,
generate a random one-time secret in development. Warns that sessions
won't survive restarts. Production guard unchanged.
---
 server/auth.js | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/server/auth.js b/server/auth.js
index 0de0e60..40a3435 100644
--- a/server/auth.js
+++ b/server/auth.js
@@ -90,13 +90,18 @@ const sessionStore = new BetterSQLiteStore();
  * Session-Middleware konfigurieren.
  * Wird in server/index.js eingebunden.
  */
-if (process.env.NODE_ENV === 'production' && !process.env.SESSION_SECRET) {
-  throw new Error('[Auth] SESSION_SECRET muss in der .env gesetzt sein (Produktion).');
+if (!process.env.SESSION_SECRET) {
+  if (process.env.NODE_ENV === 'production') {
+    throw new Error('[Auth] SESSION_SECRET muss in der .env gesetzt sein (Produktion).');
+  }
+  const { randomBytes } = require('node:crypto');
+  process.env.SESSION_SECRET = randomBytes(32).toString('hex');
+  console.warn('[Auth] SESSION_SECRET nicht gesetzt - zufaelliges Einmal-Secret generiert (Sessions ueberleben keinen Neustart).');
 }
 
 const sessionMiddleware = session({
   store: sessionStore,
-  secret: process.env.SESSION_SECRET || 'dev-only-secret-not-for-production',
+  secret: process.env.SESSION_SECRET,
   resave: false,
   saveUninitialized: false,
   name: 'oikos.sid',