create: hard-code the default session secret even more

The problem here is that making it this optional meant that it wasn't supplied by [the enterprise creation function](https://github.com/gristlabs/grist-ee/blob/fb22d94878a539ec9f1085fa9ac12936ccb68dca/ext/app/server/lib/create.ts#L10). This resulted in an odd situation where the secret was required for the enterprise edition, even though it offers no additional security. Without this key, the enterprise code crashes. The requirement to supply a secret key would make a Grist instance crash if you start in normal mode but switch to enterprise, as the enterprise creator does not supply a default secret key.
gristlabs · Jul 24, 2024 · 3ae3e7f · 3ae3e7f
1 parent f504cfd
commit 3ae3e7f
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 13 deletions.
diff --git a/app/server/lib/ICreate.ts b/app/server/lib/ICreate.ts
@@ -13,6 +13,9 @@ import {createSandbox, SpawnFn} from 'app/server/lib/NSandbox';
 import {SqliteVariant} from 'app/server/lib/SqliteCommon';
 import {ITelemetry} from 'app/server/lib/Telemetry';
 
+export const DEFAULT_SESSION_SECRET =
+  'Phoo2ag1jaiz6Moo2Iese2xoaphahbai3oNg7diemohlah0ohtae9iengafieS2Hae7quungoCi9iaPh';
+
 export interface ICreate {
 
   Billing(dbManager: HomeDBManager, gristConfig: GristServer): IBilling;
@@ -74,7 +77,6 @@ export interface ICreateTelemetryOptions {
 
 export function makeSimpleCreator(opts: {
   deploymentType: GristDeploymentType,
-  sessionSecret?: string,
   storage?: ICreateStorageOptions[],
   billing?: ICreateBillingOptions,
   notifier?: ICreateNotifierOptions,
@@ -86,7 +88,7 @@ export function makeSimpleCreator(opts: {
   getSandboxVariants?: () => Record<string, SpawnFn>,
   createInstallAdmin?: (dbManager: HomeDBManager) => Promise<InstallAdmin>,
 }): ICreate {
-  const {deploymentType, sessionSecret, storage, notifier, billing, telemetry} = opts;
+  const {deploymentType, storage, notifier, billing, telemetry} = opts;
   return {
     deploymentType() { return deploymentType; },
     Billing(dbManager, gristConfig) {
@@ -116,11 +118,7 @@ export function makeSimpleCreator(opts: {
       return createSandbox(opts.sandboxFlavor || 'unsandboxed', options);
     },
     sessionSecret() {
-      const secret = process.env.GRIST_SESSION_SECRET || sessionSecret;
-      if (!secret) {
-        throw new Error('need GRIST_SESSION_SECRET');
-      }
-      return secret;
+      return process.env.GRIST_SESSION_SECRET || DEFAULT_SESSION_SECRET;
     },
     async configure() {
       for (const s of storage || []) {

diff --git a/app/server/lib/coreCreator.ts b/app/server/lib/coreCreator.ts
@@ -3,14 +3,8 @@ import { checkMinIOBucket, checkMinIOExternalStorage,
 import { makeSimpleCreator } from 'app/server/lib/ICreate';
 import { Telemetry } from 'app/server/lib/Telemetry';
 
-export const DEFAULT_SESSION_SECRET =
-  'Phoo2ag1jaiz6Moo2Iese2xoaphahbai3oNg7diemohlah0ohtae9iengafieS2Hae7quungoCi9iaPh';
-
 export const makeCoreCreator = () => makeSimpleCreator({
   deploymentType: 'core',
-  // This can and should be overridden by GRIST_SESSION_SECRET
-  // (or generated randomly per install, like grist-omnibus does).
-  sessionSecret: DEFAULT_SESSION_SECRET,
   storage: [
     {
       name: 'minio',