feat(auth): accept session secret from TINY_ADMIN_SECRET env var

blocknotes · blocknotes · commit b85ada987ccf · 2026-03-25T19:12:58.000+01:00
The session secret was regenerated with SecureRandom.hex(64) on every
boot, which invalidates all existing sessions on restart. Now reads
from ENV["TINY_ADMIN_SECRET"] with fallback to the random value, so
production deployments can maintain stable sessions across restarts.
diff --git a/lib/tiny_admin/basic_app.rb b/lib/tiny_admin/basic_app.rb
@@ -17,7 +17,7 @@ def authentication_plugin
     plugin :flash
     plugin :not_found
     plugin :render, engine: "html"
-    plugin :sessions, secret: SecureRandom.hex(64)
+    plugin :sessions, secret: ENV.fetch("TINY_ADMIN_SECRET") { SecureRandom.hex(64) }
 
     plugin authentication_plugin, TinyAdmin.settings.authentication
 
