From cb2bafb457d09106c923aa3db0de6da3f0f11e4f Mon Sep 17 00:00:00 2001 From: Danny Avila Date: Tue, 23 Jun 2026 08:43:54 -0400 Subject: [PATCH] =?UTF-8?q?=F0=9F=A7=82=20chore:=20Require=20an=20Operator?= =?UTF-8?q?-Supplied=20Admin=20Panel=20Session=20Secret=20(#13902)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * fix: require admin panel session secret * 🩹 fix: Plain-Expand Admin SESSION_SECRET So Compose Maintenance Commands Run The `${VAR:?}` required form fails interpolation for every deploy-compose subcommand (down/pull/config), breaking `npm run update:deployed` for installs whose .env predates ADMIN_PANEL_SESSION_SECRET. Plain expansion keeps those commands working; the admin-panel image fail-fasts on an empty secret, so the panel still refuses to start without it. --- .env.example | 6 +++--- deploy-compose.yml | 4 +++- docker-compose.yml | 4 +++- 3 files changed, 9 insertions(+), 5 deletions(-) diff --git a/.env.example b/.env.example index 3622c660c7..0cd016b0d3 100644 --- a/.env.example +++ b/.env.example @@ -40,10 +40,10 @@ DOMAIN_SERVER=http://localhost:3080 ADMIN_PANEL_URL= # Session encryption key for the bundled admin panel (min 32 characters). -# The admin panel ships enabled in docker-compose/deploy-compose; the value -# below is a development default. Generate a unique one for production: +# Required when using the bundled admin panel in docker-compose/deploy-compose. +# Generate a unique value before starting the stack: # openssl rand -hex 32 -ADMIN_PANEL_SESSION_SECRET=0f7114d0b0b192b59fde7e3b730949b27d49a8717fa32ad3167d94c7684fede3 +ADMIN_PANEL_SESSION_SECRET= # Host port for the bundled admin panel (default docker-compose only). # In deploy-compose the panel is served at http://admin.localhost via nginx. diff --git a/deploy-compose.yml b/deploy-compose.yml index 77d6161a7d..a024d97259 100644 --- a/deploy-compose.yml +++ b/deploy-compose.yml @@ -48,7 +48,9 @@ services: restart: always environment: - PORT=3000 - - SESSION_SECRET=${ADMIN_PANEL_SESSION_SECRET:-${CREDS_KEY}} + # Plain expansion (not :?) so `docker compose down`/`pull` still run when this is unset. + # The panel itself refuses to start without it; set ADMIN_PANEL_SESSION_SECRET in .env. + - SESSION_SECRET=${ADMIN_PANEL_SESSION_SECRET} - API_SERVER_URL=http://api:3080 - VITE_API_BASE_URL=${DOMAIN_CLIENT:-http://localhost} - SESSION_COOKIE_SECURE=${ADMIN_PANEL_SESSION_COOKIE_SECURE:-false} diff --git a/docker-compose.yml b/docker-compose.yml index 1476231df6..0fada4bb69 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -45,7 +45,9 @@ services: restart: always environment: - PORT=3000 - - SESSION_SECRET=${ADMIN_PANEL_SESSION_SECRET:-${CREDS_KEY}} + # Plain expansion (not :?) so `docker compose down`/`pull` still run when this is unset. + # The panel itself refuses to start without it; set ADMIN_PANEL_SESSION_SECRET in .env. + - SESSION_SECRET=${ADMIN_PANEL_SESSION_SECRET} - API_SERVER_URL=http://api:${PORT:-3080} - VITE_API_BASE_URL=${DOMAIN_CLIENT:-http://localhost:3080} - SESSION_COOKIE_SECURE=${ADMIN_PANEL_SESSION_COOKIE_SECURE:-false}