From 6887698d592cb171ff4608d89234367d115c465d Mon Sep 17 00:00:00 2001
From: Danny Avila <danny@librechat.ai>
Date: Mon, 11 May 2026 09:05:53 -0400
Subject: [PATCH] =?UTF-8?q?=F0=9F=94=92=20feat:=20Enforce=20minimum=20leng?=
 =?UTF-8?q?th=20for=20SESSION=5FSECRET=20in=20admin=20session=20encryption?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Added a check to ensure that the SESSION_SECRET environment variable is at least 32 characters long, enhancing security for admin session encryption. This prevents the use of weak session secrets in production environments.
---
 src/server/session.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/server/session.ts b/src/server/session.ts
index ff9fab2..28f7546 100644
--- a/src/server/session.ts
+++ b/src/server/session.ts
@@ -3,6 +3,7 @@ import type * as t from '@/types';
 
 const DEV_SECRET = 'dev-only-session-secret-minimum-32-chars!';
 
+const MIN_SESSION_SECRET_LENGTH = 32;
 const REVALIDATION_INTERVAL_MS = 60_000;
 const DEFAULT_IDLE_TIMEOUT_MS = 30 * 60 * 1000;
 
@@ -27,6 +28,12 @@ if (!sessionSecret) {
   throw new Error('SESSION_SECRET environment variable must be set for admin session encryption.');
 }
 
+if (sessionSecret.length < MIN_SESSION_SECRET_LENGTH) {
+  throw new Error(
+    `SESSION_SECRET must be at least ${MIN_SESSION_SECRET_LENGTH} characters for admin session encryption.`,
+  );
+}
+
 if (!process.env.SESSION_SECRET && process.env.NODE_ENV === 'development') {
   console.warn(
     '[session] Using hardcoded DEV_SECRET — set SESSION_SECRET for production-like environments',