Use session_secret for signed auth session tokens

2026-04-09 21:30:08 +02:00
parent 6eab47f7ba
commit 208f98dc97
8 changed files with 136 additions and 12 deletions
--- a/Docs/Tasks.md
+++ b/Docs/Tasks.md
@@ -20,6 +20,7 @@ Reference: `Docs/Refactoring.md` for full analysis of each issue.
 ### 2. Remove or use `session_secret`
 - Where found: `backend/app/config.py`
 - Goal: either eliminate the unused `BANGUI_SESSION_SECRET` requirement or use it for session token generation / signing so the setting has purpose.
+- Status: completed
 - Possible traps and issues:
  - Keeping it required without use is misleading and burdens deployments.
  - Introducing a new crypto dependency for session tokens must preserve backward compatibility with existing sessions.