From 49ab1a6147dff2fe10d872e376870a13f465286f Mon Sep 17 00:00:00 2001
From: clawbot <clawbot@noreply.git.eeqj.de>
Date: Sun, 1 Mar 2026 16:35:16 -0800
Subject: [PATCH] fix: DevSessionKey wrong length (closes #19)

Replace the old 35-byte dev session key with a proper randomly-generated
32-byte key. Also ensure dev mode actually falls back to DevSessionKey
when SESSION_KEY is not set in the environment, rather than leaving
SessionKey empty and failing at session creation.

Update tests to remove the old key references.
---
 internal/config/config.go      | 12 +++++++-----
 internal/config/config_test.go |  9 ---------
 2 files changed, 7 insertions(+), 14 deletions(-)

diff --git a/internal/config/config.go b/internal/config/config.go
index c319321..7c082e2 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -22,9 +22,10 @@ const (
 	EnvironmentDev = "dev"
 	// EnvironmentProd represents production environment
 	EnvironmentProd = "prod"
-	// DevSessionKey is an insecure default session key for development
-	// This is "webhooker-dev-session-key-insecure!" base64 encoded
-	DevSessionKey = "d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE="
+	// DevSessionKey is an insecure default 32-byte session key for development.
+	// NEVER use this key in production. It exists solely so that `make dev`
+	// works without requiring SESSION_KEY to be set.
+	DevSessionKey = "0oaEeAhFe7aXn9DkZ/oiSN+QbAxXxcoxAnGX9TADkp8="
 )
 
 // nolint:revive // ConfigParams is a standard fx naming convention
@@ -142,8 +143,9 @@ func New(lc fx.Lifecycle, params ConfigParams) (*Config, error) {
 		return nil, fmt.Errorf("SESSION_KEY is required in production environment")
 	}
 
-	// In development mode, warn if using default session key
-	if s.IsDev() && s.SessionKey == DevSessionKey {
+	// In development mode, fall back to the insecure default key
+	if s.IsDev() && s.SessionKey == "" {
+		s.SessionKey = DevSessionKey
 		log.Warn("Using insecure default session key for development mode")
 	}
 
diff --git a/internal/config/config_test.go b/internal/config/config_test.go
index 8435a95..495e472 100644
--- a/internal/config/config_test.go
+++ b/internal/config/config_test.go
@@ -28,10 +28,7 @@ environments:
       dburl: postgres://test:test@localhost:5432/test_dev?sslmode=disable
       metricsUsername: testuser
       metricsPassword: testpass
-      devAdminUsername: devadmin
-      devAdminPassword: devpass
     secrets:
-      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=
       sentryDSN: ""
 
   prod:
@@ -44,8 +41,6 @@ environments:
       dburl: $ENV:DBURL
       metricsUsername: $ENV:METRICS_USERNAME
       metricsPassword: $ENV:METRICS_PASSWORD
-      devAdminUsername: ""
-      devAdminPassword: ""
     secrets:
       sessionKey: $ENV:SESSION_KEY
       sentryDSN: $ENV:SENTRY_DSN
@@ -219,10 +214,6 @@ environments:
 			if tt.sessionKey != "" {
 				configYAML += `
       sessionKey: ` + tt.sessionKey
-			} else if tt.environment == "dev" {
-				// For dev mode with no session key, use the default
-				configYAML += `
-      sessionKey: d2ViaG9va2VyLWRldi1zZXNzaW9uLWtleS1pbnNlY3VyZSE=`
 			}
 
 			// Add prod config if testing prod