VITE_SESSION_SECRET

[binajmen]

Thank you for this great utility!

In utils/auth.ts, you use:

secrets: [clientEnv.VITE_SESSION_SECRET],

According to the security notes in https://vitejs.dev/guide/env-and-mode.html#env-files:

Since any variables exposed to your Vite source code will end up in your client bundle, VITE_* variables should not contain any sensitive information.

Isn't it concerning or did I misunderstand something?

[OrJDev]

I also think that it should not be prefixed with vite, but solid docs do prefix it (making it public to the client) so I'm not sure which is the correct answer?

[binajmen]

Yes I noticed the same in the Solid documentation. I think this is wrong and could (do?) leak the session secret. I'll move this to serverEnv and see how it goes.

[OrJDev]

Yes I noticed the same in the Solid documentation. I think this is wrong and could (do?) leak the session secret. I'll move this to serverEnv and see how it goes.

Make sure you separate the auth client and the session storage otherwise the client will try to parse server env variables (causing an error to be thrown on the browser), move the session storage to server/auth.ts if you do decide to do that

[binajmen]

It works well, thanks for the above tip 😉 – I was not aware everything under /server is not bundled to the client!

I'm pretty sure this should be the default. I don't have time right now to "hack" myself and see how I could retrieve the session secret. Although, based on Vite documentation, the session secret is (most probably) leaked with the current setup.

[OrJDev]

Ye i think so too,
feel free to make a pr with the above tip or I will do so tomorrow

[tanjunior]

maybe include https://github.com/t3-oss/t3-env as part of the addon?