Bug Description
In app/auth.py, the SessionMiddleware is initialized with a hardcoded fallback value:
app.add_middleware(
SessionMiddleware,
secret_key=os.getenv("SESSION_SECRET_KEY", "supersecretkey")
)If SESSION_SECRET_KEY is not set in the environment (
.env
file missing or misconfigured), the app silently uses "supersecretkey" as the signing secret for all user sessions. Since this value is openly visible in the source code, anyone can craft forged session cookies and gain access without going through OAuth.
The app gives no warning and does not refuse to start when this insecure fallback is active.
Expected Behavior
The application should refuse to start if SESSION_SECRET_KEY is not set.
Suggested Fix
secret = os.getenv("SESSION_SECRET_KEY")
if not secret:
raise RuntimeError("SESSION_SECRET_KEY is not set. Set a strong random secret in your .env file.")
app.add_middleware(SessionMiddleware, secret_key=secret)
Location
File:
app/auth.py
Function:
setup_oauth()
Line: 56
Severity
Security / High — Allows authentication bypass via forged session cookies.
Bug Description
In app/auth.py, the SessionMiddleware is initialized with a hardcoded fallback value:
If SESSION_SECRET_KEY is not set in the environment (
.env
file missing or misconfigured), the app silently uses "supersecretkey" as the signing secret for all user sessions. Since this value is openly visible in the source code, anyone can craft forged session cookies and gain access without going through OAuth.
The app gives no warning and does not refuse to start when this insecure fallback is active.
Expected Behavior
The application should refuse to start if SESSION_SECRET_KEY is not set.
Suggested Fix
Location
File:
app/auth.py
Function:
setup_oauth()
Line: 56
Severity
Security / High — Allows authentication bypass via forged session cookies.