From beb8abb2bcfc0e54cdcc38a0c38faef8c52b267b Mon Sep 17 00:00:00 2001 From: Julien Gautier Date: Sun, 26 Apr 2026 20:43:13 +0200 Subject: [PATCH] fix(session): use dedicated SESSION_SECRET instead of JWT secret Sharing the JWT secret with express-session means a single leaked secret compromises both auth mechanisms. SESSION_SECRET is now read from its own env var, falling back to SECRET only if not set. --- src/createApp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/createApp.js b/src/createApp.js index 68ad950..8a29655 100644 --- a/src/createApp.js +++ b/src/createApp.js @@ -21,7 +21,7 @@ function createApp() { app.use(require('method-override')()); app.use(express.static(__dirname + '/../public')); app.use(session({ - secret: config.secret, + secret: process.env.SESSION_SECRET || config.secret, cookie: { maxAge: config.session_lifetime }, resave: false, saveUninitialized: false