Trek_CN/server
jubnl 358afd2428
fix: require ENCRYPTION_KEY at startup instead of auto-generating
Auto-generating and persisting the key to data/.encryption_key co-locates
the key with the database, defeating encryption at rest if an attacker can
read the data directory. It also silently loses all encrypted secrets if the
data volume is recreated.

Replace the auto-generation fallback with a hard startup error that tells
operators exactly what to do:
- Upgraders from the JWT_SECRET-derived encryption era: set ENCRYPTION_KEY
  to their old JWT_SECRET so existing ciphertext remains readable.
- Fresh installs: generate a key with `openssl rand -hex 32`.
2026-04-01 08:43:36 +02:00
..
public Merge branch 'perf-test' of https://github.com/jubnl/TREK into dev 2026-03-31 23:10:02 +02:00
src fix: require ENCRYPTION_KEY at startup instead of auto-generating 2026-04-01 08:43:36 +02:00
.env.example fix: add SSRF protection for link preview and Immich URL 2026-04-01 07:59:03 +02:00
package-lock.json Merge branch 'pr-125' 2026-03-30 23:10:34 +02:00
package.json Merge branch 'pr-125' 2026-03-30 23:10:34 +02:00
reset-admin.js Stabilize core: better-sqlite3, versioned migrations, graceful shutdown 2026-03-22 17:52:24 +01:00
tsconfig.json some fixes 2026-03-30 06:59:24 +02:00