Merge pull request #152 from OpenBankProject/revert_session_secret

revert session secret
2026-02-06 02:36:46 +00:00 · 2026-01-31 10:06:25 +01:00 · 2026-01-31 10:06:25 +01:00 · f3f0bf2b90
commit f3f0bf2b90
parent a1f6bede09 efec0fda9f
1 changed files with 1 additions and 11 deletions
--- a/server/app.ts
+++ b/server/app.ts
@ -118,20 +118,10 @@ console.info(
  `Session maxAge configured: ${sessionMaxAgeSeconds} seconds (${sessionMaxAgeSeconds / 60} minutes)`
 )
 app.use(express.json())
-// Session secret - MUST be set in production
-const sessionSecret =
-  process.env.VITE_OBP_SERVER_SESSION_PASSWORD || 'dev-secret-change-in-production'
-if (!process.env.VITE_OBP_SERVER_SESSION_PASSWORD) {
-  console.warn(
-    'WARNING: VITE_OBP_SERVER_SESSION_PASSWORD is not set. Using default secret for development only.'
-  )
-  console.warn('WARNING: Set VITE_OBP_SERVER_SESSION_PASSWORD in your .env file for production!')
-}
-
 let sessionObject = {
  store: redisStore,
  name: 'obp-api-explorer-ii.sid', // CRITICAL: Unique cookie name to prevent conflicts with other apps on localhost
-  secret: sessionSecret,
+  secret: process.env.VITE_OBP_SERVER_SESSION_PASSWORD,
  resave: false,
  saveUninitialized: false, // Don't save empty sessions (better for authenticated apps)
  cookie: {