From ae17c915626e3c36c7e77a85ada1fd3e7b975f83 Mon Sep 17 00:00:00 2001
From: FuturMix <dev@futurmix.ai>
Date: Sun, 14 Jun 2026 12:04:58 +0800
Subject: [PATCH] fix: remove hardcoded session secret fallback

SESSION_SECRET falls back to 'dev-secret-change-me' when the env var
is not set. This means a production deployment without the env var
uses a predictable HMAC key, allowing anyone to forge session cookies.

Replace the fallback with a startup check that throws if the env var
is missing.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 apps/web/lib/auth.ts | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/apps/web/lib/auth.ts b/apps/web/lib/auth.ts
index 982cb50..871a21e 100644
--- a/apps/web/lib/auth.ts
+++ b/apps/web/lib/auth.ts
@@ -2,7 +2,10 @@ import 'server-only';
 import { cookies } from 'next/headers';
 
 const COOKIE = 'cp_session';
-const SESSION_SECRET = process.env.SESSION_SECRET ?? 'dev-secret-change-me';
+const SESSION_SECRET = process.env.SESSION_SECRET;
+if (!SESSION_SECRET) {
+  throw new Error('SESSION_SECRET environment variable is required');
+}
 const enc = new TextEncoder();
 
 async function hmac(data: string): Promise<string> {