chore: improve qol when missing a sessionCookeSecret#895
Conversation
|
i'm a little worried about this change creating too much noise for people who don't use cookies. we need to provide a way to silence the error or be more deterministic about whether cookies are even used before issuing the warning. it's currently provided in root by default because i couldn't figure out a better way to have root-cms inject it while making it available for use across other plugins. |
|
ah i didn't realize it wasn't part of root-cms - just root. i removed the warning. now the only change the PR is introducing is using a deterministic session cookie in dev mode only. thoughts? |
packages/root/src/utils/rand.ts
Outdated
| * This ensures the same secret is generated for the same seed across dev server restarts, | ||
| * while still allowing different projects to have unique secrets. | ||
| */ | ||
| export function deterministicSessionSecret(seed: string): string { |
There was a problem hiding this comment.
remove export here since this is an internal implementation function
packages/root/src/utils/rand.ts
Outdated
| * Priority order: | ||
| * 1. Explicit config value (rootConfig.server.sessionCookieSecret) | ||
| * 2. Development mode: deterministic secret based on rootDir (sessions persist across restarts) | ||
| * 3. Production mode: random secret with security warning |
| return rootConfig.server.sessionCookieSecret; | ||
| } | ||
|
|
||
| if (process.env.NODE_ENV === 'development') { |
There was a problem hiding this comment.
nit: can you include a short jscomment explaining this line
|
updated all |
2 participants
This is a small PR that improves the QOL for local dev when no
sessionCookieSecretis specified, and adds a clear log with a warning if the project is deployed to prod without a session cookie secret (to maintain backwards compatibility with the previous behavior.)