feat(indiekit): redirect to new password form if no password secret set

paulrobertlloyd · paulrobertlloyd · commit 2392677e233e · 2025-12-07T13:59:21.000Z
diff --git a/packages/indiekit/lib/indieauth.js b/packages/indiekit/lib/indieauth.js
@@ -191,6 +191,8 @@ export const IndieAuth = class {
       if (devMode) {
         request.session.access_token = process.env.NODE_ENV;
         request.session.scope = "create update delete media";
+      } else if (!process.env.PASSWORD_SECRET) {
+        return response.redirect("/auth/new-password");
       }
 
       // If have session has access token and scope, go to next middleware

Original file line number	Diff line number	Diff line change
`@@ -191,6 +191,8 @@ export const IndieAuth = class {`
`191`	`191`	`if (devMode) {`
`192`	`192`	`request.session.access_token = process.env.NODE_ENV;`
`193`	`193`	`request.session.scope = "create update delete media";`
	`194`	`+ } else if (!process.env.PASSWORD_SECRET) {`
	`195`	`+ return response.redirect("/auth/new-password");`
`194`	`196`	`}`
`195`	`197`
`196`	`198`	`// If have session has access token and scope, go to next middleware`