From 22c9acf99386477bbb49b2762e9072b3dd8bb43a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix=20Malfait?= <felix.malfait@gmail.com>
Date: Fri, 7 Feb 2025 14:58:50 +0100
Subject: [PATCH] Remove session store secret (#10074)

Fixes #10033
---
 packages/twenty-server/.env.example                |  1 -
 .../environment/environment-variables.ts           |  9 ---------
 .../session-storage.module-factory.ts              | 14 +++++++++++++-
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/packages/twenty-server/.env.example b/packages/twenty-server/.env.example
index 8618dd8ca..759c45fbf 100644
--- a/packages/twenty-server/.env.example
+++ b/packages/twenty-server/.env.example
@@ -70,7 +70,6 @@ FRONT_PORT=3001
 # MUTATION_MAXIMUM_AFFECTED_RECORDS=100
 # CHROME_EXTENSION_ID=bggmipldbceihilonnbpgoeclgbkblkp
 # PG_SSL_ALLOW_SELF_SIGNED=true
-# SESSION_STORE_SECRET=replace_me_with_a_random_string_session
 # ENTERPRISE_KEY=replace_me_with_a_valid_enterprise_key
 # SSL_KEY_PATH="./certs/your-cert.key"
 # SSL_CERT_PATH="./certs/your-cert.crt"
diff --git a/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts b/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts
index 49a0df311..9d8f9539a 100644
--- a/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts
+++ b/packages/twenty-server/src/engine/core-modules/environment/environment-variables.ts
@@ -828,15 +828,6 @@ export class EnvironmentVariables {
   @IsString()
   APP_SECRET: string;
 
-  @EnvironmentVariablesMetadata({
-    group: EnvironmentVariablesGroup.ServerConfig,
-    sensitive: true,
-    description: 'Secret for session store',
-  })
-  @IsString()
-  @IsOptional()
-  SESSION_STORE_SECRET = 'replace_me_with_a_random_string_session';
-
   @EnvironmentVariablesMetadata({
     group: EnvironmentVariablesGroup.ServerConfig,
     subGroup: EnvironmentVariablesSubGroup.RateLimiting,
diff --git a/packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts b/packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts
index d8c630abd..84f7bed90 100644
--- a/packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts
+++ b/packages/twenty-server/src/engine/core-modules/session-storage/session-storage.module-factory.ts
@@ -1,3 +1,5 @@
+import { createHash } from 'crypto';
+
 import RedisStore from 'connect-redis';
 import session from 'express-session';
 import { createClient } from 'redis';
@@ -12,8 +14,18 @@ export const getSessionStorageOptions = (
 
   const SERVER_URL = environmentService.get('SERVER_URL');
 
+  const appSecret = environmentService.get('APP_SECRET');
+
+  if (!appSecret) {
+    throw new Error('APP_SECRET is not set');
+  }
+
+  const sessionSecret = createHash('sha256')
+    .update(`${appSecret}SESSION_STORE_SECRET`)
+    .digest('hex');
+
   const sessionStorage: session.SessionOptions = {
-    secret: environmentService.get('SESSION_STORE_SECRET'),
+    secret: sessionSecret,
     resave: false,
     saveUninitialized: false,
     proxy: true,