Fix: remove hardcoded session secret fallback#20
Merged
ralyodio merged 1 commit intoJun 15, 2026
Conversation
SESSION_SECRET falls back to 'dev-secret-change-me' when the env var is not set. This means a production deployment without the env var uses a predictable HMAC key, allowing anyone to forge session cookies. Replace the fallback with a startup check that throws if the env var is missing. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
ralyodio
added a commit
that referenced
this pull request
Jun 16, 2026
PR #20 removed the insecure SESSION_SECRET fallback by throwing at module import when the env var is unset. But `next build` imports API route modules during "Collecting page data", so the top-level throw broke every deploy after #20 (build failed at /api/auth/me with "SESSION_SECRET environment variable is required"). Move the check into a lazy getSessionSecret() called from hmac() at request time. This preserves #20's security intent (no fallback, requests fail if unset) while letting the build import route modules cleanly. Verified: `next build` now succeeds with SESSION_SECRET unset. Co-authored-by: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes #19
The session HMAC key in
apps/web/lib/auth.tsfalls back to'dev-secret-change-me'whenSESSION_SECRETenv var is missing. This allows session forgery in production.Changes
apps/web/lib/auth.ts: Replace?? 'dev-secret-change-me'with a startup check that throws if the env var is missingTest plan
SESSION_SECRETset: app starts and auth works normallySESSION_SECRET: app throws clear error at startup instead of silently using insecure key🤖 Generated with Claude Code