fix(session): use dedicated SESSION_SECRET instead of JWT secret

Sharing the JWT secret with express-session means a single leaked
secret compromises both auth mechanisms. SESSION_SECRET is now read
from its own env var, falling back to SECRET only if not set.
This commit is contained in:
2026-04-26 20:43:13 +02:00
parent f293d35455
commit beb8abb2bc
+1 -1
View File
@@ -21,7 +21,7 @@ function createApp() {
app.use(require('method-override')()); app.use(require('method-override')());
app.use(express.static(__dirname + '/../public')); app.use(express.static(__dirname + '/../public'));
app.use(session({ app.use(session({
secret: config.secret, secret: process.env.SESSION_SECRET || config.secret,
cookie: { maxAge: config.session_lifetime }, cookie: { maxAge: config.session_lifetime },
resave: false, resave: false,
saveUninitialized: false saveUninitialized: false