From 1f71ad2f141ca6064c14c31b8d5bfcf4d6f700e1 Mon Sep 17 00:00:00 2001
From: melvmath <melvmath@cisco.com>
Date: Thu, 19 Feb 2026 20:06:54 -0600
Subject: [PATCH] Default session secret to random value

Use Node's built-in crypto to generate a 32-byte hex secret when no session secret is provided. This ensures express-session always gets a non-empty secret (avoiding errors or insecure defaults) while preserving any explicitly supplied secret.
---
 src/main/api/server-config.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/main/api/server-config.js b/src/main/api/server-config.js
index 907f792..6ba3470 100644
--- a/src/main/api/server-config.js
+++ b/src/main/api/server-config.js
@@ -18,7 +18,7 @@ module.exports = (auth, config, secret) => {
   app.use(expressSession({
     resave: false,
     saveUninitialized: true,
-    secret,
+    secret: secret || require('node:crypto').randomBytes(32).toString('hex'),
   }));
   app.use(auth.initialize());
   app.use(auth.session());