openclaw/oikos
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fix(auth): remove SESSION_SECRET fallback - always throw if unset

Browse Source 
App refuses to start without SESSION_SECRET regardless of NODE_ENV.
Removes risk of accidental insecure deployment when NODE_ENV is not
explicitly set to production.
This commit is contained in:
Ulas
2026-04-04 01:16:59 +02:00
parent c1176de661
commit 9a68fb7b0c
1 changed files with 1 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
server/auth.js
+1 -6
View File
@@ -8,7 +8,6 @@ import express from 'express';
import bcrypt from 'bcrypt'; import bcrypt from 'bcrypt';
import session from 'express-session'; import session from 'express-session';
import rateLimit from 'express-rate-limit'; import rateLimit from 'express-rate-limit';
import { randomBytes } from 'node:crypto';
import * as db from './db.js'; import * as db from './db.js';
import { generateToken, csrfMiddleware } from './middleware/csrf.js'; import { generateToken, csrfMiddleware } from './middleware/csrf.js';
import { createLogger } from './logger.js'; import { createLogger } from './logger.js';
@@ -92,11 +91,7 @@ const sessionStore = new BetterSQLiteStore();
* Wird in server/index.js eingebunden. * Wird in server/index.js eingebunden.
*/ */
if (!process.env.SESSION_SECRET) { if (!process.env.SESSION_SECRET) {
if (process.env.NODE_ENV === 'production') { throw new Error('[Auth] SESSION_SECRET must be set in .env. Run: node setup.js');
throw new Error('[Auth] SESSION_SECRET must be set in .env (production).');
}
process.env.SESSION_SECRET = randomBytes(32).toString('hex');
log.warn('SESSION_SECRET not set - generated ephemeral random secret (sessions will not survive restarts).');
} }
const sessionMiddleware = session({ const sessionMiddleware = session({