From 1af9d67525c92f0f635c15a2b49facc76b62b9d2 Mon Sep 17 00:00:00 2001 From: Matthew Knight Date: Tue, 17 Feb 2026 16:03:05 -0800 Subject: [PATCH] Require minimum 32-byte SESSION_SECRET Fixes #20 Co-Authored-By: Claude Opus 4.6 --- internal/config/config.go | 4 ++-- internal/config/config_test.go | 18 +++++++++--------- 2 files changed, 11 insertions(+), 11 deletions(-) diff --git a/internal/config/config.go b/internal/config/config.go index e86b0a9..5602a91 100644 --- a/internal/config/config.go +++ b/internal/config/config.go @@ -77,8 +77,8 @@ func Load() (*Config, error) { if cfg.DatabaseURL == "" { return nil, fmt.Errorf("DATABASE_URL is required") } - if cfg.SessionSecret == "" { - return nil, fmt.Errorf("SESSION_SECRET is required") + if len(cfg.SessionSecret) < 32 { + return nil, fmt.Errorf("SESSION_SECRET must be at least 32 characters") } return cfg, nil diff --git a/internal/config/config_test.go b/internal/config/config_test.go index e59d1f8..e22ff99 100644 --- a/internal/config/config_test.go +++ b/internal/config/config_test.go @@ -25,7 +25,7 @@ func clearConfigEnv(t *testing.T) { func TestLoad_MissingDatabaseURL(t *testing.T) { clearConfigEnv(t) - t.Setenv("SESSION_SECRET", "secret-value") + t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch") // DATABASE_URL is not set _, err := Load() @@ -49,7 +49,7 @@ func TestLoad_MissingSessionSecret(t *testing.T) { t.Fatal("expected error when SESSION_SECRET is missing, got nil") } - expected := "SESSION_SECRET is required" + expected := "SESSION_SECRET must be at least 32 characters" if err.Error() != expected { t.Errorf("expected error %q, got %q", expected, err.Error()) } @@ -58,7 +58,7 @@ func TestLoad_MissingSessionSecret(t *testing.T) { func TestLoad_Success(t *testing.T) { clearConfigEnv(t) t.Setenv("DATABASE_URL", "postgres://localhost/test") - t.Setenv("SESSION_SECRET", "my-secret") + t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch") cfg, err := Load() if err != nil { @@ -68,15 +68,15 @@ func TestLoad_Success(t *testing.T) { if cfg.DatabaseURL != "postgres://localhost/test" { t.Errorf("expected DatabaseURL %q, got %q", "postgres://localhost/test", cfg.DatabaseURL) } - if cfg.SessionSecret != "my-secret" { - t.Errorf("expected SessionSecret %q, got %q", "my-secret", cfg.SessionSecret) + if cfg.SessionSecret != "test-session-secret-that-is-32ch" { + t.Errorf("expected SessionSecret %q, got %q", "test-session-secret-that-is-32ch", cfg.SessionSecret) } } func TestLoad_DefaultValues(t *testing.T) { clearConfigEnv(t) t.Setenv("DATABASE_URL", "postgres://localhost/test") - t.Setenv("SESSION_SECRET", "my-secret") + t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch") cfg, err := Load() if err != nil { @@ -100,7 +100,7 @@ func TestLoad_DefaultValues(t *testing.T) { func TestLoad_OverrideDefaults(t *testing.T) { clearConfigEnv(t) t.Setenv("DATABASE_URL", "postgres://localhost/test") - t.Setenv("SESSION_SECRET", "my-secret") + t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch") t.Setenv("PUBLIC_ADDR", ":9090") t.Setenv("ADMIN_ADDR", ":9091") t.Setenv("BASE_URL", "https://example.com") @@ -124,7 +124,7 @@ func TestLoad_OverrideDefaults(t *testing.T) { func TestLoad_TailscaleAllowedUsers(t *testing.T) { clearConfigEnv(t) t.Setenv("DATABASE_URL", "postgres://localhost/test") - t.Setenv("SESSION_SECRET", "my-secret") + t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch") t.Setenv("TAILSCALE_ALLOWED_USERS", "alice@example.com, bob@example.com , charlie@example.com") cfg, err := Load() @@ -147,7 +147,7 @@ func TestLoad_TailscaleAllowedUsers(t *testing.T) { func TestLoad_EmptyTailscaleAllowedUsers(t *testing.T) { clearConfigEnv(t) t.Setenv("DATABASE_URL", "postgres://localhost/test") - t.Setenv("SESSION_SECRET", "my-secret") + t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch") // TAILSCALE_ALLOWED_USERS not set cfg, err := Load()