Merge pull request #780 from SISheogorath/fix/sessionSecret

Automatically generate a session secret if default is used

Author: SISheogorath

lib/config/default.js

@@ -46,6 +46,7 @@ module.exports = {
   // session
   sessionName: 'connect.sid',
   sessionSecret: 'secret',
+  sessionSecretLen: 128,
   sessionLife: 14 * 24 * 60 * 60 * 1000, // 14 days
   staticCacheTime: 1 * 24 * 60 * 60 * 1000, // 1 day
   // socket.io

lib/config/index.js

@@ -1,6 +1,7 @@
 
 'use strict'
 
+const crypto = require('crypto')
 const fs = require('fs')
 const path = require('path')
 const {merge} = require('lodash')
@@ -117,6 +118,14 @@ for (let i = keys.length; i--;) {
   }
 }
 
+// Generate session secret if it stays on default values
+if (config.sessionSecret === 'secret') {
+  logger.warn('Session secret not set. Using random generated one. Please set `sessionSecret` in your config.js file. All users will be logged out.')
+  config.sessionSecret = crypto.randomBytes(Math.ceil(config.sessionSecretLen / 2)) // generate crypto graphic random number
+        .toString('hex')                                                            // convert to hexadecimal format
+        .slice(0, config.sessionSecretLen)                                           // return required number of characters
+}
+
 // Validate upload upload providers
 if (['filesystem', 's3', 'minio', 'imgur'].indexOf(config.imageUploadType) === -1) {
   logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio" or "imgur". Defaulting to "imgur"')