From d9fd5fda9fc269615d0df408d2dbf54f2ce91301 Mon Sep 17 00:00:00 2001
From: Carson McManus <carson.mcmanus1@gmail.com>
Date: Wed, 13 Nov 2024 06:44:26 -0500
Subject: [PATCH] fix(server/(config): add config validation for
 `session_secret`

---
 server/ott-config.ts | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/server/ott-config.ts b/server/ott-config.ts
index 0ebb000a6..b25510f06 100644
--- a/server/ott-config.ts
+++ b/server/ott-config.ts
@@ -520,6 +520,14 @@ export function validateConfig(): Result<void, Error> {
 		return err(new Error("Invalid configuration."));
 	}
 
+	if (conf.get("session_secret").length < 80) {
+		log.error(
+			"session_secret must be at least 80 characters long. Use a password generator to generate a secure alphanumeric secret."
+		);
+		log.error("This can also be set with the SESSION_SECRET environment variable.");
+		return err(new Error("Invalid configuration."));
+	}
+
 	return ok(undefined);
 }