fix(security): replace hardcoded session secret fallback with random generation
Instead of a static 'dev-only-secret-not-for-production' fallback, generate a random one-time secret in development. Warns that sessions won't survive restarts. Production guard unchanged.
This commit is contained in:
Ulas
+7
-2
@@ -90,13 +90,18 @@ const sessionStore = new BetterSQLiteStore();
|
|||||||
* Session-Middleware konfigurieren.
|
* Session-Middleware konfigurieren.
|
||||||
* Wird in server/index.js eingebunden.
|
* Wird in server/index.js eingebunden.
|
||||||
*/
|
*/
|
||||||
if (process.env.NODE_ENV === 'production' && !process.env.SESSION_SECRET) {
|
if (!process.env.SESSION_SECRET) {
|
||||||
|
if (process.env.NODE_ENV === 'production') {
|
||||||
throw new Error('[Auth] SESSION_SECRET muss in der .env gesetzt sein (Produktion).');
|
throw new Error('[Auth] SESSION_SECRET muss in der .env gesetzt sein (Produktion).');
|
||||||
|
}
|
||||||
|
const { randomBytes } = require('node:crypto');
|
||||||
|
process.env.SESSION_SECRET = randomBytes(32).toString('hex');
|
||||||
|
console.warn('[Auth] SESSION_SECRET nicht gesetzt - zufaelliges Einmal-Secret generiert (Sessions ueberleben keinen Neustart).');
|
||||||
}
|
}
|
||||||
|
|
||||||
const sessionMiddleware = session({
|
const sessionMiddleware = session({
|
||||||
store: sessionStore,
|
store: sessionStore,
|
||||||
secret: process.env.SESSION_SECRET || 'dev-only-secret-not-for-production',
|
secret: process.env.SESSION_SECRET,
|
||||||
resave: false,
|
resave: false,
|
||||||
saveUninitialized: false,
|
saveUninitialized: false,
|
||||||
name: 'oikos.sid',
|
name: 'oikos.sid',
|
||||||
|
|||||||
Reference in New Issue
Block a user