From 4efe6d9350bb6770757632d2ddf81b24fcc90e8a Mon Sep 17 00:00:00 2001
From: jj <log@riseup.net>
Date: Sun, 20 Oct 2024 14:14:47 +0000
Subject: [PATCH] api/config: disallow `JWT_SECRET`s shorter than 16 chars

---
 api/src/config.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/api/src/config.js b/api/src/config.js
index 3a28d7ce..02584212 100644
--- a/api/src/config.js
+++ b/api/src/config.js
@@ -54,6 +54,10 @@ const env = {
 const genericUserAgent = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36";
 const cobaltUserAgent = `cobalt/${version} (+https://github.com/imputnet/cobalt)`;
 
+if (env.sessionEnabled && env.jwtSecret.length < 16) {
+    throw new Error("JWT_SECRET env is too short (must be at least 16 characters long)");
+}
+
 export {
     env,
     genericUserAgent,