From 231a4382e6140f763302e1ef0677530f8ff457ad Mon Sep 17 00:00:00 2001
From: Sammy Oina <sammyoina@gmail.com>
Date: Fri, 13 Mar 2026 18:30:42 +0300
Subject: [PATCH] feat: dynamically generate and configure NEXTAUTH_SECRET for
 local and cloud environments.

Signed-off-by: Sammy Oina <sammyoina@gmail.com>
---
 .github/workflows/deploy-cloud.yaml | 1 +
 Makefile                            | 1 +
 docker/.env                         | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/deploy-cloud.yaml b/.github/workflows/deploy-cloud.yaml
index 43a75915..1f6f236e 100644
--- a/.github/workflows/deploy-cloud.yaml
+++ b/.github/workflows/deploy-cloud.yaml
@@ -124,6 +124,7 @@ jobs:
             sed -i "s|__TRAEFIK_DASHBOARD_PORT__|${{ secrets.TRAEFIK_DASHBOARD_PORT }}|g" docker/.env
             sed -i "s|__TUNNEL_TOKEN__|${{ secrets.TUNNEL_TOKEN }}|g" docker/.env
             sed -i "s|__CUBE_AGENT_CERTS_TOKEN__|${{ secrets.CUBE_AGENT_CERTS_TOKEN }}|g" docker/.env
+            sed -i "s|__NEXTAUTH_SECRET__|${{ secrets.NEXTAUTH_SECRET }}|g" docker/.env
             sed -i "s|__CUBE_INTERNAL_AGENT_URL__|${{ secrets.CUBE_INTERNAL_AGENT_URL }}|g" docker/config.json
             # Replace placeholder with actual domain from secrets
             sed -i "s|__CUBE_DOMAIN__|${{ secrets.CUBE_DOMAIN }}|g" docker/traefik/dynamic.toml
diff --git a/Makefile b/Makefile
index 868b65fe..dbca7ce8 100644
--- a/Makefile
+++ b/Makefile
@@ -225,6 +225,7 @@ config-local:
 	@sed -i 's|__TRAEFIK_DASHBOARD_PORT__|8080|g' docker/.env
 	@sed -i 's|__TUNNEL_TOKEN__||g' docker/.env
 	@sed -i 's|__CUBE_AGENT_CERTS_TOKEN__|localdevtoken12we12we12we12we12we|g' docker/.env
+	@sed -i "s|__NEXTAUTH_SECRET__|$(shell python3 -c 'import secrets; print(secrets.token_urlsafe(37))')|g" docker/.env
 	@echo "✓ Configured with local defaults"
 
 .PHONY: restore-config
diff --git a/docker/.env b/docker/.env
index a7da1268..3dc81f7a 100644
--- a/docker/.env
+++ b/docker/.env
@@ -315,7 +315,7 @@ MG_MAILCHIMP_AUDIENCE_ID=__MG_MAILCHIMP_AUDIENCE_ID__
 UI_PORT=6193
 UV_CUBE_UI_BASE_PATH=/
 MG_UI_TYPE=cube-ai
-NEXTAUTH_SECRET=
+NEXTAUTH_SECRET=__NEXTAUTH_SECRET__
 # change  IP address to your local IP address
 NEXTAUTH_URL=https://__CUBE_PUBLIC_URL__
 UV_CUBE_UI_DOCKER_ACCEPT_EULA=no