feat(auth): accept session secret from TINY_ADMIN_SECRET env var

blocknotes · blocknotes · commit c4a6a70d5d33 · 2026-03-22T15:28:34.000+01:00
The session secret was regenerated with SecureRandom.hex(64) on every
boot, which invalidates all existing sessions on restart. Now reads
from ENV["TINY_ADMIN_SECRET"] with fallback to the random value, so
production deployments can maintain stable sessions across restarts.
diff --git a/lib/tiny_admin/basic_app.rb b/lib/tiny_admin/basic_app.rb
@@ -16,8 +16,8 @@ def authentication_plugin
 
     plugin :flash
     plugin :not_found
-    plugin :render, engine: 'html'
-    plugin :sessions, secret: SecureRandom.hex(64)
+    plugin :render, engine: "html"
+    plugin :sessions, secret: ENV.fetch("TINY_ADMIN_SECRET") { SecureRandom.hex(64) }
 
     plugin authentication_plugin, TinyAdmin.settings.authentication
 
