Merge pull request #18283 from overleaf/bg-session-secret-use-session-secret-in-web

replace SECURITY_SESSION_SECRET with SESSION_SECRET in web GitOrigin-RevId: f6ff5f13cf04e1b59fe44a394a0888af55ae140f
2024-11-21 20:47:08 -05:00 · 2024-05-13 13:34:41 +01:00 · 2024-05-13 13:34:41 +01:00 · 41cb0859db
commit 41cb0859db
parent c7f9a80622
2 changed files with 5 additions and 1 deletions
--- a/services/web/app/src/infrastructure/Server.js
+++ b/services/web/app/src/infrastructure/Server.js
@ -154,6 +154,10 @@ if (Settings.useHttpPermissionsPolicy) {

 RedirectManager.apply(webRouter)

+if (!Settings.security.sessionSecret) {
+  throw new Error('Session secret is not set - refusing to start server')
+}
+
 webRouter.use(cookieParser(Settings.security.sessionSecret))
 SessionAutostartMiddleware.applyInitialMiddleware(webRouter)
 Modules.registerMiddleware(webRouter, 'sessionMiddleware', {
--- a/services/web/config/settings.defaults.js
+++ b/services/web/config/settings.defaults.js
@ -43,7 +43,7 @@ if (httpAuthUser && httpAuthPass) {
  httpAuthUsers[httpAuthUser] = httpAuthPass
 }

-const sessionSecret = process.env.SESSION_SECRET || 'secret-please-change'
+const sessionSecret = process.env.SESSION_SECRET

 const intFromEnv = function (name, defaultValue) {
  if (