From 942867d94c6ae1387e88c94267c6493fa7ba2813 Mon Sep 17 00:00:00 2001
From: jackiettran <41605212+jackiettran@users.noreply.github.com>
Date: Thu, 15 Jan 2026 15:14:55 -0500
Subject: [PATCH] fixed bug where had to login every time the server restarted

---
 backend/middleware/csrf.js | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/backend/middleware/csrf.js b/backend/middleware/csrf.js
index 0d788bd..53e3bcd 100644
--- a/backend/middleware/csrf.js
+++ b/backend/middleware/csrf.js
@@ -1,11 +1,24 @@
 const csrf = require("csrf");
 const cookieParser = require("cookie-parser");
+const logger = require("../utils/logger");
 
 // Initialize CSRF token generator
 const tokens = new csrf();
 
-// Generate a secret for signing tokens
-const secret = tokens.secretSync();
+// Use persistent secret from environment variable to prevent token invalidation on restart
+const secret = process.env.CSRF_SECRET;
+
+if (!secret) {
+  const errorMsg = "CSRF_SECRET environment variable is required.";
+  logger.error(errorMsg);
+  throw new Error(errorMsg);
+}
+
+if (secret.length < 32) {
+  const errorMsg = "CSRF_SECRET must be at least 32 characters for security";
+  logger.error(errorMsg);
+  throw new Error(errorMsg);
+}
 
 // CSRF middleware using double submit cookie pattern
 const csrfProtection = (req, res, next) => {