From b0d8d5c20de6c127bd64a5e0c5701869ee1ebcfb Mon Sep 17 00:00:00 2001
From: Cogent Apps <cogentapps@fastmail.com>
Date: Fri, 17 Mar 2023 18:27:13 +0000
Subject: [PATCH] use secure default session secret

---
 server/src/auth0.ts    | 5 ++++-
 server/src/passport.ts | 4 +++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/server/src/auth0.ts b/server/src/auth0.ts
index 58acd19..87d48b0 100644
--- a/server/src/auth0.ts
+++ b/server/src/auth0.ts
@@ -1,10 +1,13 @@
+import crypto from 'crypto';
 import { auth, ConfigParams } from 'express-openid-connect';
 import ChatServer from './index';
 
+const secret = process.env.AUTH_SECRET || crypto.randomBytes(32).toString('hex');
+
 const config: ConfigParams = {
     authRequired: false,
     auth0Logout: false,
-    secret: process.env.AUTH_SECRET || 'keyboard cat',
+    secret,
     baseURL: process.env.PUBLIC_URL,
     clientID: process.env.AUTH0_CLIENT_ID,
     issuerBaseURL: process.env.AUTH0_ISSUER,
diff --git a/server/src/passport.ts b/server/src/passport.ts
index 0e6b9f9..83dec3e 100644
--- a/server/src/passport.ts
+++ b/server/src/passport.ts
@@ -5,6 +5,8 @@ import createSQLiteSessionStore from 'connect-sqlite3';
 import { Strategy as LocalStrategy } from 'passport-local';
 import ChatServer from './index';
 
+const secret = process.env.AUTH_SECRET || crypto.randomBytes(32).toString('hex');
+
 export function configurePassport(context: ChatServer) {
     const SQLiteStore = createSQLiteSessionStore(session);
     const sessionStore = new SQLiteStore({ db: 'sessions.db' });
@@ -42,7 +44,7 @@ export function configurePassport(context: ChatServer) {
     });
 
     context.app.use(session({
-        secret: process.env.AUTH_SECRET || 'keyboard cat',
+        secret,
         resave: false,
         saveUninitialized: false,
         store: sessionStore as any,