Web Installer generates LFS_JWT_SECRET ignoring existing LFS_JWT_SECRET_URI, causing startup crash #36001
Description
Description
When installing Gitea (Docker) with LFS_JWT_SECRET_URI configured via environment variables, the Web Installer ignores the existing URI setting. It generates a new LFS_JWT_SECRET and writes it to app.ini.
On the next restart, Gitea crashes due to the conflicting configuration.
Error Log
gitea | 2025/11/22 02:13:57 modules/setting/security.go:52:loadSecret() [F] Cannot specify both LFS_JWT_SECRET_URI and LFS_JWT_SECRET
gitea | Received signal 15; terminating.
Cause
In routers/install/install.go, unlike the oauth2 or security sections, the LFS block blindly generates a new secret without checking if one is already configured.
// routers/install/install.go
if form.LFSRootPath != "" {
// ...
// BUG: Missing check for LFS_JWT_SECRET_URI
if _, lfsJwtSecret, err = generate.NewJwtSecretWithBase64(); err != nil {
// ...
}
cfg.Section("server").Key("LFS_JWT_SECRET").SetValue(lfsJwtSecret)
}I would be willing to open a PR to fix this if needed.
Gitea Version
1.25.1
Can you reproduce the bug on the Gitea demo site?
No
Log Gist
No response
Screenshots
No response
Git Version
No response
Operating System
Debian Trixie
How are you running Gitea?
Docker
Database
PostgreSQL