openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(security): replace hardcoded session secret fallback with random generation

Browse Source 
Instead of a static 'dev-only-secret-not-for-production' fallback,
generate a random one-time secret in development. Warns that sessions
won't survive restarts. Production guard unchanged.
This commit is contained in:
Ulas
2026-04-03 21:59:41 +02:00
parent ae8fbdd465
commit 5b1e6915ac
1 changed files with 8 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/auth.js
+8 -3
View File
@@ -90,13 +90,18 @@ const sessionStore = new BetterSQLiteStore();
* Session-Middleware konfigurieren.
* Wird in server/index.js eingebunden.
*/
if (process.env.NODE_ENV === 'production' && !process.env.SESSION_SECRET) {
throw new Error('[Auth] SESSION_SECRET muss in der .env gesetzt sein (Produktion).');
if (!process.env.SESSION_SECRET) {
if (process.env.NODE_ENV === 'production') {
throw new Error('[Auth] SESSION_SECRET muss in der .env gesetzt sein (Produktion).');
}
const { randomBytes } = require('node:crypto');
process.env.SESSION_SECRET = randomBytes(32).toString('hex');
console.warn('[Auth] SESSION_SECRET nicht gesetzt - zufaelliges Einmal-Secret generiert (Sessions ueberleben keinen Neustart).');
}
const sessionMiddleware = session({
store: sessionStore,
secret: process.env.SESSION_SECRET || 'dev-only-secret-not-for-production',
secret: process.env.SESSION_SECRET,
resave: false,
saveUninitialized: false,
name: 'oikos.sid',