From 48a155b1449f52fffcfa2b8b7b0ed41100c1c23c Mon Sep 17 00:00:00 2001
From: AJ Jordan <alex@strugee.net>
Date: Fri, 14 Jul 2017 04:16:18 -0700
Subject: [PATCH] Don't insecurely handle config.secret's absence

It's much better to just error so the admin fixes it instead of doing
something stupid on our own that nobody wants (should want).
---
 lib/app.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/app.js b/lib/app.js
index 85909091d..fc72fb7b4 100644
--- a/lib/app.js
+++ b/lib/app.js
@@ -277,7 +277,7 @@ var makeApp = function(configBase, callback) {
         var dbstore = new DatabankStore(db, log, (config.cleanupSession) ? (config.cleanupSession * workers) : 0);
 
         if (!config.noweb) {
-            session = expressSession({secret: config.secret || "insecure",
+            session = expressSession({secret: config.secret,
                                       store: dbstore,
                                       saveUninitialized: false,
                                       resave: false});