From a12c62bbdc6b90f7b6e67dffb4ac3127a891bedb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Reinhard=20X=2E=20F=C3=BCrst?= <rexfue@gmail.com>
Date: Fri, 5 Jun 2026 15:19:25 +0200
Subject: [PATCH] =?UTF-8?q?fix:=20AUTH=5FSECRET-Check=20lazy=20=E2=80=94?=
 =?UTF-8?q?=20wirft=20erst=20zur=20Laufzeit,=20nicht=20beim=20Build?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 lib/session.ts | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/lib/session.ts b/lib/session.ts
index bf8bcf3..cbff36c 100644
--- a/lib/session.ts
+++ b/lib/session.ts
@@ -4,11 +4,11 @@ import { SignJWT, jwtVerify } from 'jose';
 const SESSION_COOKIE_NAME = 'logbuch_session';
 const SESSION_DURATION = 60 * 60 * 1000;
 
-const secretKey = process.env.AUTH_SECRET;
-if (!secretKey) {
-  throw new Error('AUTH_SECRET Umgebungsvariable ist nicht gesetzt!');
+function getKey(): Uint8Array {
+  const secretKey = process.env.AUTH_SECRET;
+  if (!secretKey) throw new Error('AUTH_SECRET Umgebungsvariable ist nicht gesetzt!');
+  return new TextEncoder().encode(secretKey);
 }
-const key = new TextEncoder().encode(secretKey);
 
 export interface SessionData {
   kuerzel: string;
@@ -25,12 +25,12 @@ async function encrypt(payload: SessionData): Promise<string> {
     .setProtectedHeader({ alg: 'HS256' })
     .setIssuedAt()
     .setExpirationTime(new Date(payload.expiresAt))
-    .sign(key);
+    .sign(getKey());
 }
 
 async function decrypt(token: string): Promise<SessionData | null> {
   try {
-    const { payload } = await jwtVerify(token, key, { algorithms: ['HS256'] });
+    const { payload } = await jwtVerify(token, getKey(), { algorithms: ['HS256'] });
     return payload as unknown as SessionData;
   } catch {
     return null;