mirror of
https://github.com/nesquena/hermes-webui.git
synced 2026-05-25 11:10:18 +00:00
Lucas Coutinho
07a5fe0838
HMAC length: create_session() now emits a full 64-char HMAC-SHA256 hex digest instead of the truncated 32-char form. verify_session() accepts both lengths during a transition window so existing sessions survive the upgrade without a forced global logout. The legacy 32-char branch can be removed once the default 30-day session TTL has elapsed. Secure flag: introduce _is_secure_context(handler) to encapsulate the env-var override and heuristic. Restores the getpeercert / X-Forwarded-Proto heuristic that was present before this refactor, keeping the env-var override (HERMES_WEBUI_SECURE) on top for proxy deployments that need explicit control. The bare `return False` stub that the previous commit left in place silently broke Secure-cookie delivery for all reverse-proxy users who never set the env var. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>