Skip to content

Fix: remove hardcoded session secret fallback#20

Merged
ralyodio merged 1 commit into
profullstack:masterfrom
FuturMix:fix/hardcoded-session-secret
Jun 15, 2026
Merged

Fix: remove hardcoded session secret fallback#20
ralyodio merged 1 commit into
profullstack:masterfrom
FuturMix:fix/hardcoded-session-secret

Conversation

@FuturMix

@FuturMix FuturMix commented Jun 14, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes #19

The session HMAC key in apps/web/lib/auth.ts falls back to 'dev-secret-change-me' when SESSION_SECRET env var is missing. This allows session forgery in production.

Changes

  • apps/web/lib/auth.ts: Replace ?? 'dev-secret-change-me' with a startup check that throws if the env var is missing

Test plan

  • With SESSION_SECRET set: app starts and auth works normally
  • Without SESSION_SECRET: app throws clear error at startup instead of silently using insecure key

🤖 Generated with Claude Code

@FuturMix @claude
fix: remove hardcoded session secret fallback
ae17c91 
SESSION_SECRET falls back to 'dev-secret-change-me' when the env var
is not set. This means a production deployment without the env var
uses a predictable HMAC key, allowing anyone to forge session cookies.

Replace the fallback with a startup check that throws if the env var
is missing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@ralyodio ralyodio merged commit d446c94 into profullstack:master Jun 15, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Bug: Hardcoded session secret fallback allows session forgery

2 participants

@FuturMix @ralyodio