From 46fa8fe93ea127dba60152526ff4c020ebf09aaf Mon Sep 17 00:00:00 2001
From: FuturMix <dev@futurmix.ai>
Date: Sun, 14 Jun 2026 12:17:20 +0800
Subject: [PATCH] fix(auth): remove hardcoded fallback session secret (fixes
 #59)

---
 apps/logicsrc-web/src/lib/coinpay.ts | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/apps/logicsrc-web/src/lib/coinpay.ts b/apps/logicsrc-web/src/lib/coinpay.ts
index dae83d7..8441147 100644
--- a/apps/logicsrc-web/src/lib/coinpay.ts
+++ b/apps/logicsrc-web/src/lib/coinpay.ts
@@ -150,7 +150,11 @@ export function getCoinPayOAuthConfig(): CoinPayOAuthConfig | null {
 }
 
 function getSessionSecret(): string {
-  return process.env.LOGICSRC_SESSION_SECRET || process.env.COINPAY_OAUTH_CLIENT_SECRET || "logicsrc-dev-session-secret";
+  const secret = process.env.LOGICSRC_SESSION_SECRET || process.env.COINPAY_OAUTH_CLIENT_SECRET;
+  if (!secret) {
+    throw new Error("LOGICSRC_SESSION_SECRET or COINPAY_OAUTH_CLIENT_SECRET must be set");
+  }
+  return secret;
 }
 
 export function signSession(payload: Record<string, unknown>): string {