From f8ff01aad062dd74f0c029bca3136c4013734ffd Mon Sep 17 00:00:00 2001
From: Matthew Messinger <mattmess1221@gmail.com>
Date: Tue, 10 Jun 2025 19:28:20 -0400
Subject: [PATCH 1/3] fix: prevent session password in .env from being included
 in production builds

---
 src/module.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/module.ts b/src/module.ts
index 99dbd418..cadb7b12 100644
--- a/src/module.ts
+++ b/src/module.ts
@@ -135,7 +135,7 @@ export default defineNuxtModule<ModuleOptions>({
 
     runtimeConfig.session = defu(runtimeConfig.session, {
       name: 'nuxt-session',
-      password: process.env[envSessionPassword] || '',
+      password: '',
       cookie: {
         sameSite: 'lax',
       },
@@ -146,7 +146,7 @@ export default defineNuxtModule<ModuleOptions>({
     })
 
     // Generate the session password
-    if (nuxt.options.dev && !runtimeConfig.session.password) {
+    if (nuxt.options.dev && !process.env[envSessionPassword]) {
       runtimeConfig.session.password = randomUUID().replace(/-/g, '')
       // Add it to .env
       const envPath = join(nuxt.options.rootDir, '.env')

From b59acb4f94acc8aab61a3eadb2a3aeaf1f465a82 Mon Sep 17 00:00:00 2001
From: Matthew Messinger <Matthew.Messinger2@netapp.com>
Date: Mon, 16 Jun 2025 16:52:48 -0400
Subject: [PATCH 2/3] fix: log an error when session.password is unset

---
 src/runtime/server/utils/session.ts | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/runtime/server/utils/session.ts b/src/runtime/server/utils/session.ts
index 49bc1459..7fc4ea15 100644
--- a/src/runtime/server/utils/session.ts
+++ b/src/runtime/server/utils/session.ts
@@ -112,6 +112,9 @@ function _useSession(event: UseSessionEvent, config: Partial<SessionConfig> = {}
     const envSessionPassword = `${runtimeConfig.nitro?.envPrefix || 'NUXT_'}SESSION_PASSWORD`
 
     sessionConfig = defu({ password: process.env[envSessionPassword] }, runtimeConfig.session)
+    if (!sessionConfig.password) {
+      console.error(`[nuxt-auth-utils] ${envSessionPassword} environment variable or runtimeConfig.session.password was not set.`)
+    }
   }
   const finalConfig = defu(config, sessionConfig) as SessionConfig
   return useSession<UserSession>(event, finalConfig)

From 4cd707c05321a70e33bedb2d738c53b04fca8c84 Mon Sep 17 00:00:00 2001
From: Matthew Messinger <mattmess1221@gmail.com>
Date: Sun, 13 Jul 2025 14:33:38 -0400
Subject: [PATCH 3/3] fix: assign session password directly to process.env

---
 src/module.ts | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/module.ts b/src/module.ts
index cadb7b12..cb5b1322 100644
--- a/src/module.ts
+++ b/src/module.ts
@@ -147,7 +147,7 @@ export default defineNuxtModule<ModuleOptions>({
 
     // Generate the session password
     if (nuxt.options.dev && !process.env[envSessionPassword]) {
-      runtimeConfig.session.password = randomUUID().replace(/-/g, '')
+      const password = process.env[envSessionPassword] = randomUUID().replace(/-/g, '')
       // Add it to .env
       const envPath = join(nuxt.options.rootDir, '.env')
       const envContent = await readFile(envPath, 'utf-8').catch(() => '')
@@ -156,7 +156,7 @@ export default defineNuxtModule<ModuleOptions>({
           envPath,
           `${
             envContent ? envContent + '\n' : envContent
-          }${envSessionPassword}=${runtimeConfig.session.password}`,
+          }${envSessionPassword}=${password}`,
           'utf-8',
         )
       }