diff --git a/.env.example b/.env.example index 4d65e96..06c539b 100644 --- a/.env.example +++ b/.env.example @@ -25,5 +25,6 @@ LIDARR_QUALITY_PROFILE_ID=1 LIDARR_ROOT_FOLDER=/music # App -SESSION_SECRET_KEY=change-me-to-a-random-secret +# SESSION_SECRET_KEY is auto-generated if omitted. Set it explicitly so sessions survive restarts. +# SESSION_SECRET_KEY= DATABASE_PATH=bellhop.db diff --git a/README.md b/README.md index bb0e498..c8048a3 100644 --- a/README.md +++ b/README.md @@ -64,7 +64,6 @@ Create a `.env` file in the project root (or pass variables via Docker `--env-fi | Variable | Description | |---|---| | `MATRIX_HOMESERVER_URL` | Base URL of your Matrix homeserver (e.g. `https://matrix.example.com`) | -| `SESSION_SECRET_KEY` | Random secret used internally. Generate one with `python -c "import secrets; print(secrets.token_urlsafe(32))"` | ### *arr Services @@ -115,6 +114,7 @@ Copy the `access_token` from the response. | Variable | Default | Description | |---|---|---| +| `SESSION_SECRET_KEY` | _(auto-generated)_ | Secret for signing session cookies. Auto-generated at startup if not set. Set this explicitly in production so sessions survive restarts. | | `DATABASE_PATH` | `bellhop.db` | Path to the SQLite database file | ## API Reference @@ -244,7 +244,7 @@ Bellhop/ ### Production Recommendations - Run behind a reverse proxy (nginx, Caddy, Traefik) with TLS termination so the `secure` cookie flag works. -- Set `SESSION_SECRET_KEY` to a strong random value. +- Set `SESSION_SECRET_KEY` explicitly so sessions survive process restarts. - Restrict network access to your *arr instances — only the Bellhop container needs to reach them. - Use a dedicated Matrix bot account for audit logging rather than a personal account. diff --git a/app/config.py b/app/config.py index dce343e..29de51a 100644 --- a/app/config.py +++ b/app/config.py @@ -1,4 +1,5 @@ import os +import secrets from pathlib import Path from dotenv import load_dotenv @@ -38,5 +39,5 @@ LIDARR_QUALITY_PROFILE_ID: int = int(os.getenv("LIDARR_QUALITY_PROFILE_ID", "1") LIDARR_ROOT_FOLDER: str = os.getenv("LIDARR_ROOT_FOLDER", "/music") # App -SESSION_SECRET_KEY: str = _require("SESSION_SECRET_KEY") +SESSION_SECRET_KEY: str = os.getenv("SESSION_SECRET_KEY") or secrets.token_urlsafe(32) DATABASE_PATH: str = os.getenv("DATABASE_PATH", "bellhop.db")