From efec0fda9f9871a36daa61d4dfeb5286cae79300 Mon Sep 17 00:00:00 2001
From: karmaking <daniel@danieltippmann.de>
Date: Sat, 31 Jan 2026 10:06:01 +0100
Subject: [PATCH] revert session secret

---
 server/app.ts | 12 +-----------
 1 file changed, 1 insertion(+), 11 deletions(-)

diff --git a/server/app.ts b/server/app.ts
index b4f2aa5..9bbdb8c 100644
--- a/server/app.ts
+++ b/server/app.ts
@@ -118,20 +118,10 @@ console.info(
   `Session maxAge configured: ${sessionMaxAgeSeconds} seconds (${sessionMaxAgeSeconds / 60} minutes)`
 )
 app.use(express.json())
-// Session secret - MUST be set in production
-const sessionSecret =
-  process.env.VITE_OBP_SERVER_SESSION_PASSWORD || 'dev-secret-change-in-production'
-if (!process.env.VITE_OBP_SERVER_SESSION_PASSWORD) {
-  console.warn(
-    'WARNING: VITE_OBP_SERVER_SESSION_PASSWORD is not set. Using default secret for development only.'
-  )
-  console.warn('WARNING: Set VITE_OBP_SERVER_SESSION_PASSWORD in your .env file for production!')
-}
-
 let sessionObject = {
   store: redisStore,
   name: 'obp-api-explorer-ii.sid', // CRITICAL: Unique cookie name to prevent conflicts with other apps on localhost
-  secret: sessionSecret,
+  secret: process.env.VITE_OBP_SERVER_SESSION_PASSWORD,
   resave: false,
   saveUninitialized: false, // Don't save empty sessions (better for authenticated apps)
   cookie: {