fix: remove hardcoded session secret fallback (#20)

FuturMix · claude · web-flow · commit d446c942b8be · 2026-06-15T08:15:07.000-07:00
SESSION_SECRET falls back to 'dev-secret-change-me' when the env var
is not set. This means a production deployment without the env var
uses a predictable HMAC key, allowing anyone to forge session cookies.

Replace the fallback with a startup check that throws if the env var
is missing.

Co-authored-by: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/apps/web/lib/auth.ts b/apps/web/lib/auth.ts
@@ -2,7 +2,10 @@ import 'server-only';
 import { cookies } from 'next/headers';
 
 const COOKIE = 'cp_session';
-const SESSION_SECRET = process.env.SESSION_SECRET ?? 'dev-secret-change-me';
+const SESSION_SECRET = process.env.SESSION_SECRET;
+if (!SESSION_SECRET) {
+  throw new Error('SESSION_SECRET environment variable is required');
+}
 const enc = new TextEncoder();
 
 async function hmac(data: string): Promise<string> {
