Merge pull request #3317 from huridocs/session_secret_env_var

session secret as an env var on production
huridocs · Nov 12, 2020 · 4acd5f5 · 4acd5f5
2 parents 45e9252 + 56a20bb
commit 4acd5f5
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/app/api/auth/routes.js b/app/api/auth/routes.js
@@ -3,7 +3,6 @@ import cookieParser from 'cookie-parser';
 import mongoConnect from 'connect-mongo';
 import passport from 'passport';
 import session from 'express-session';
-import uniqueID from 'shared/uniqueID';
 import svgCaptcha from 'svg-captcha';
 import settings from 'api/settings';
 import urljoin from 'url-join';
@@ -21,7 +20,7 @@ export default app => {
 
   app.use(
     session({
-      secret: app.get('env') === 'production' ? uniqueID() : 'harvey&lola',
+      secret: app.get('env') === 'production' ? config.userSessionSecret : 'harvey&lola',
       store: new MongoStore({
         mongooseConnection: DB.connectionForDB(config.SHARED_DB),
       }),

diff --git a/app/api/config.ts b/app/api/config.ts
@@ -1,6 +1,13 @@
+import uniqueID from 'shared/uniqueID';
 import { Tenant } from './tenants/tenantContext';
 
-const { ROOT_PATH, UPLOADS_FOLDER, CUSTOM_UPLOADS_FOLDER, TEMPORAL_FILES_FOLDER } = process.env;
+const {
+  ROOT_PATH,
+  UPLOADS_FOLDER,
+  CUSTOM_UPLOADS_FOLDER,
+  TEMPORAL_FILES_FOLDER,
+  USER_SESSION_SECRET,
+} = process.env;
 
 const rootPath = ROOT_PATH || `${__dirname}/../../`;
 
@@ -17,6 +24,8 @@ export const config = {
 
   publicAssets: `${rootPath}/public/`,
 
+  userSessionSecret: USER_SESSION_SECRET || uniqueID(),
+
   // db for tenants list and sessions
   SHARED_DB: 'uwazi_shared_db',