mattnite
/
forgejo-tickets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request 'Require minimum 32-byte SESSION_SECRET' (#41) from fix/session-secret-validation into main 

Reviewed-on: https://git.ts.mattnite.net/mattnite/forgejo-tickets/pulls/41
This commit is contained in:
Matthew Knight 2026-02-18 00:11:21 +00:00
parent d33c138867 1af9d67525
commit f1b20edbe3
2 changed files with 11 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
internal/config/config.go
View File

@ -77,8 +77,8 @@ func Load() (*Config, error) {
if cfg.DatabaseURL == "" {
return nil, fmt.Errorf("DATABASE_URL is required")
}
if cfg.SessionSecret == "" {
return nil, fmt.Errorf("SESSION_SECRET is required")
if len(cfg.SessionSecret) < 32 {
return nil, fmt.Errorf("SESSION_SECRET must be at least 32 characters")
}
return cfg, nil

18
internal/config/config_test.go
View File

@ -25,7 +25,7 @@ func clearConfigEnv(t *testing.T) {
func TestLoad_MissingDatabaseURL(t *testing.T) {
clearConfigEnv(t)
t.Setenv("SESSION_SECRET", "secret-value")
t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
// DATABASE_URL is not set
_, err := Load()
@ -49,7 +49,7 @@ func TestLoad_MissingSessionSecret(t *testing.T) {
t.Fatal("expected error when SESSION_SECRET is missing, got nil")
}
expected := "SESSION_SECRET is required"
expected := "SESSION_SECRET must be at least 32 characters"
if err.Error() != expected {
t.Errorf("expected error %q, got %q", expected, err.Error())
}
@ -58,7 +58,7 @@ func TestLoad_MissingSessionSecret(t *testing.T) {
func TestLoad_Success(t *testing.T) {
clearConfigEnv(t)
t.Setenv("DATABASE_URL", "postgres://localhost/test")
t.Setenv("SESSION_SECRET", "my-secret")
t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
cfg, err := Load()
if err != nil {
@ -68,15 +68,15 @@ func TestLoad_Success(t *testing.T) {
if cfg.DatabaseURL != "postgres://localhost/test" {
t.Errorf("expected DatabaseURL %q, got %q", "postgres://localhost/test", cfg.DatabaseURL)
}
if cfg.SessionSecret != "my-secret" {
t.Errorf("expected SessionSecret %q, got %q", "my-secret", cfg.SessionSecret)
if cfg.SessionSecret != "test-session-secret-that-is-32ch" {
t.Errorf("expected SessionSecret %q, got %q", "test-session-secret-that-is-32ch", cfg.SessionSecret)
}
}
func TestLoad_DefaultValues(t *testing.T) {
clearConfigEnv(t)
t.Setenv("DATABASE_URL", "postgres://localhost/test")
t.Setenv("SESSION_SECRET", "my-secret")
t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
cfg, err := Load()
if err != nil {
@ -100,7 +100,7 @@ func TestLoad_DefaultValues(t *testing.T) {
func TestLoad_OverrideDefaults(t *testing.T) {
clearConfigEnv(t)
t.Setenv("DATABASE_URL", "postgres://localhost/test")
t.Setenv("SESSION_SECRET", "my-secret")
t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
t.Setenv("PUBLIC_ADDR", ":9090")
t.Setenv("ADMIN_ADDR", ":9091")
t.Setenv("BASE_URL", "https://example.com")
@ -124,7 +124,7 @@ func TestLoad_OverrideDefaults(t *testing.T) {
func TestLoad_TailscaleAllowedUsers(t *testing.T) {
clearConfigEnv(t)
t.Setenv("DATABASE_URL", "postgres://localhost/test")
t.Setenv("SESSION_SECRET", "my-secret")
t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
t.Setenv("TAILSCALE_ALLOWED_USERS", "alice@example.com, bob@example.com , charlie@example.com")
cfg, err := Load()
@ -147,7 +147,7 @@ func TestLoad_TailscaleAllowedUsers(t *testing.T) {
func TestLoad_EmptyTailscaleAllowedUsers(t *testing.T) {
clearConfigEnv(t)
t.Setenv("DATABASE_URL", "postgres://localhost/test")
t.Setenv("SESSION_SECRET", "my-secret")
t.Setenv("SESSION_SECRET", "test-session-secret-that-is-32ch")
// TAILSCALE_ALLOWED_USERS not set
cfg, err := Load()