Read session secret from environment variable (#190)

temporalio · Nov 11, 2020 · 266b7a1 · 266b7a1
1 parent 263c686
commit 266b7a1
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -12,14 +12,15 @@ This web UI is used to view workflows from [Temporalio][temporal], see what's ru
 
 Set these environment variables if you need to change their defaults
 
-| Variable                      | Description                                                       | Default        |
-| ----------------------------- | ----------------------------------------------------------------- | -------------- |
-| TEMPORAL_GRPC_ENDPOINT        | String representing server gRPC endpoint                          | 127.0.0.1:7233 |
-| TEMPORAL_WEB_PORT             | HTTP port to serve on                                             | 8088           |
-| TEMPORAL_PERMIT_WRITE_API     | Boolean to permit write API methods such as Terminating Workflows | true           |
-| TEMPORAL_HOT_RELOAD_PORT      | HTTP port used by hot reloading in development                    | 8081           |
-| TEMPORAL_HOT_RELOAD_TEST_PORT | HTTP port used by hot reloading in tests                          | 8082           |
-| TEMPORAL_EXTERNAL_SCRIPTS     | Addtional JavaScript tags to serve in the UI                      |                |
+| Variable                      | Description                                                       | Default                     |
+| ----------------------------- | ----------------------------------------------------------------- | --------------------------- |
+| TEMPORAL_GRPC_ENDPOINT        | String representing server gRPC endpoint                          | 127.0.0.1:7233              |
+| TEMPORAL_WEB_PORT             | HTTP port to serve on                                             | 8088                        |
+| TEMPORAL_PERMIT_WRITE_API     | Boolean to permit write API methods such as Terminating Workflows | true                        |
+| TEMPORAL_HOT_RELOAD_PORT      | HTTP port used by hot reloading in development                    | 8081                        |
+| TEMPORAL_HOT_RELOAD_TEST_PORT | HTTP port used by hot reloading in tests                          | 8082                        |
+| TEMPORAL_SESSION_SECRET       | Secret used to hash the session with HMAC                         | "ensure secret in production" |
+| TEMPORAL_EXTERNAL_SCRIPTS     | Addtional JavaScript tags to serve in the UI                      |                             |
 
 ### Configuring Authentication (optional)
 
@@ -66,7 +67,6 @@ Common Oauth Providers and their docs:
 
 If you are hosting Temporal Web at `http://localhost:8088`, then you will need to tell your Oauth provider to redirect to `http://localhost:8088/auth/callback`. This is configured by `callback_base_uri` in the settings.
 
-
 ### Running locally
 
 `temporal-web` uses all the standard [npm scripts](https://docs.npmjs.com/misc/scripts) to install dependencies, run the server, and run tests. Additionally to run locally with webpack hot reloading and other conveniences, use

diff --git a/server/index.js b/server/index.js
@@ -28,7 +28,10 @@ app.init = function(options) {
   const hotReloadTestPort =
     Number(process.env.TEMPORAL_HOT_RELOAD_TEST_PORT) || 8082;
 
-  app.keys = ['some secret hurr']; // todo change this
+  const secret =
+    process.env.TEMPORAL_SESSION_SECRET ?? 'ensure secret in production';
+  app.keys = [secret];
+
   app
     .use(async (ctx, next) => {
       try {