From 14be59be1902da8c170df96ca54019cf173807d7 Mon Sep 17 00:00:00 2001
From: yuyx <237899745@qq.com>
Date: Tue, 20 Jan 2026 11:00:17 +0800
Subject: [PATCH] =?UTF-8?q?fix:=20=E8=87=AA=E5=8A=A8=E7=94=9F=E6=88=90=20S?=
 =?UTF-8?q?ESSION=5FSECRET=20=E9=85=8D=E7=BD=AE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- 新安装时自动生成随机 SESSION_SECRET
- 更新时自动补充缺失的 SESSION_SECRET
- 避免生产环境因缺少密钥而启动失败

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 install.sh | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/install.sh b/install.sh
index 85d2f28..14b3765 100644
--- a/install.sh
+++ b/install.sh
@@ -2111,6 +2111,9 @@ create_env_file() {
     # 生成随机JWT密钥
     JWT_SECRET=$(openssl rand -base64 32)
 
+    # 生成随机Session密钥
+    SESSION_SECRET=$(openssl rand -hex 32)
+
     # ========== CORS 安全配置自动生成 ==========
     # 根据部署模式自动配置 ALLOWED_ORIGINS 和 COOKIE_SECURE
     
@@ -2156,6 +2159,9 @@ ADMIN_PASSWORD=${ADMIN_PASSWORD}
 # JWT密钥
 JWT_SECRET=${JWT_SECRET}
 
+# Session密钥（用于会话管理）
+SESSION_SECRET=${SESSION_SECRET}
+
 # 数据库路径
 DATABASE_PATH=./data/database.db
 
@@ -3856,6 +3862,16 @@ update_patch_env() {
         else
             print_info ".env 已包含 TRUST_PROXY，保持不变"
         fi
+
+        # 检查 SESSION_SECRET（会话安全配置，生产环境必需）
+        if ! grep -q "^SESSION_SECRET=" "${PROJECT_DIR}/backend/.env"; then
+            # 自动生成随机 Session 密钥
+            NEW_SESSION_SECRET=$(openssl rand -hex 32)
+            echo "SESSION_SECRET=${NEW_SESSION_SECRET}" >> "${PROJECT_DIR}/backend/.env"
+            print_warning "已为现有 .env 补充 SESSION_SECRET（已自动生成安全密钥）"
+        else
+            print_info ".env 已包含 SESSION_SECRET，保持不变"
+        fi
     else
         print_warning "未找到 ${PROJECT_DIR}/backend/.env，请手动确认配置"
     fi