🧂 chore: Require an Operator-Supplied Admin Panel Session Secret (#13902)

* fix: require admin panel session secret

* 🩹 fix: Plain-Expand Admin SESSION_SECRET So Compose Maintenance Commands Run

The `${VAR:?}` required form fails interpolation for every deploy-compose
subcommand (down/pull/config), breaking `npm run update:deployed` for installs
whose .env predates ADMIN_PANEL_SESSION_SECRET. Plain expansion keeps those
commands working; the admin-panel image fail-fasts on an empty secret, so the
panel still refuses to start without it.
This commit is contained in:
Danny Avila 2026-06-23 08:43:54 -04:00 committed by GitHub
parent 77854decdf
commit cb2bafb457
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 9 additions and 5 deletions

View file

@ -40,10 +40,10 @@ DOMAIN_SERVER=http://localhost:3080
ADMIN_PANEL_URL=
# Session encryption key for the bundled admin panel (min 32 characters).
# The admin panel ships enabled in docker-compose/deploy-compose; the value
# below is a development default. Generate a unique one for production:
# Required when using the bundled admin panel in docker-compose/deploy-compose.
# Generate a unique value before starting the stack:
# openssl rand -hex 32
ADMIN_PANEL_SESSION_SECRET=0f7114d0b0b192b59fde7e3b730949b27d49a8717fa32ad3167d94c7684fede3
ADMIN_PANEL_SESSION_SECRET=
# Host port for the bundled admin panel (default docker-compose only).
# In deploy-compose the panel is served at http://admin.localhost via nginx.

View file

@ -48,7 +48,9 @@ services:
restart: always
environment:
- PORT=3000
- SESSION_SECRET=${ADMIN_PANEL_SESSION_SECRET:-${CREDS_KEY}}
# Plain expansion (not :?) so `docker compose down`/`pull` still run when this is unset.
# The panel itself refuses to start without it; set ADMIN_PANEL_SESSION_SECRET in .env.
- SESSION_SECRET=${ADMIN_PANEL_SESSION_SECRET}
- API_SERVER_URL=http://api:3080
- VITE_API_BASE_URL=${DOMAIN_CLIENT:-http://localhost}
- SESSION_COOKIE_SECURE=${ADMIN_PANEL_SESSION_COOKIE_SECURE:-false}

View file

@ -45,7 +45,9 @@ services:
restart: always
environment:
- PORT=3000
- SESSION_SECRET=${ADMIN_PANEL_SESSION_SECRET:-${CREDS_KEY}}
# Plain expansion (not :?) so `docker compose down`/`pull` still run when this is unset.
# The panel itself refuses to start without it; set ADMIN_PANEL_SESSION_SECRET in .env.
- SESSION_SECRET=${ADMIN_PANEL_SESSION_SECRET}
- API_SERVER_URL=http://api:${PORT:-3080}
- VITE_API_BASE_URL=${DOMAIN_CLIENT:-http://localhost:3080}
- SESSION_COOKIE_SECURE=${ADMIN_PANEL_SESSION_COOKIE_SECURE:-false}