From 9a68fb7b0c2b1f64a429f9a2e3e6b33573a4033a Mon Sep 17 00:00:00 2001
From: Ulas <ulas@kalayci.cloud>
Date: Sat, 4 Apr 2026 01:16:59 +0200
Subject: [PATCH] fix(auth): remove SESSION_SECRET fallback - always throw if
 unset

App refuses to start without SESSION_SECRET regardless of NODE_ENV.
Removes risk of accidental insecure deployment when NODE_ENV is not
explicitly set to production.
---
 server/auth.js | 7 +------
 1 file changed, 1 insertion(+), 6 deletions(-)

diff --git a/server/auth.js b/server/auth.js
index e2edbe7..4a230d4 100644
--- a/server/auth.js
+++ b/server/auth.js
@@ -8,7 +8,6 @@ import express from 'express';
 import bcrypt from 'bcrypt';
 import session from 'express-session';
 import rateLimit from 'express-rate-limit';
-import { randomBytes } from 'node:crypto';
 import * as db from './db.js';
 import { generateToken, csrfMiddleware } from './middleware/csrf.js';
 import { createLogger } from './logger.js';
@@ -92,11 +91,7 @@ const sessionStore = new BetterSQLiteStore();
  * Wird in server/index.js eingebunden.
  */
 if (!process.env.SESSION_SECRET) {
-  if (process.env.NODE_ENV === 'production') {
-    throw new Error('[Auth] SESSION_SECRET must be set in .env (production).');
-  }
-  process.env.SESSION_SECRET = randomBytes(32).toString('hex');
-  log.warn('SESSION_SECRET not set - generated ephemeral random secret (sessions will not survive restarts).');
+  throw new Error('[Auth] SESSION_SECRET must be set in .env. Run: node setup.js');
 }
 
 const sessionMiddleware = session({