4 files changed, 21 insertions, 7 deletions
diff --git a/lib/config/default.js b/lib/config/default.js
index 19ddccf6..68849d36 100644
--- a/lib/config/default.js
+++ b/lib/config/default.js
@@ -18,6 +18,8 @@ module.exports = {
     directives: {
     },
     addDefaults: true,
+    addDisqus: true,
+    addGoogleAnalytics: true,
     upgradeInsecureRequests: 'auto',
     reportURI: undefined
   },
@@ -46,6 +48,7 @@ module.exports = {
   // session
   sessionName: 'connect.sid',
   sessionSecret: 'secret',
+  sessionSecretLen: 128,
   sessionLife: 14 * 24 * 60 * 60 * 1000, // 14 days
   staticCacheTime: 1 * 24 * 60 * 60 * 1000, // 1 day
   // socket.io
diff --git a/lib/config/defaultSSL.js b/lib/config/defaultSSL.js
index 362c62a1..ba020466 100644
--- a/lib/config/defaultSSL.js
+++ b/lib/config/defaultSSL.js
@@ -10,8 +10,8 @@ function getFile (path) {
 }
 
 module.exports = {
-  sslkeypath: getFile('/run/secrets/key.pem'),
-  sslcertpath: getFile('/run/secrets/cert.pem'),
-  sslcapath: getFile('/run/secrets/ca.pem') !== undefined ? [getFile('/run/secrets/ca.pem')] : [],
-  dhparampath: getFile('/run/secrets/dhparam.pem')
+  sslKeyPath: getFile('/run/secrets/key.pem'),
+  sslCertPath: getFile('/run/secrets/cert.pem'),
+  sslCAPath: getFile('/run/secrets/ca.pem') !== undefined ? [getFile('/run/secrets/ca.pem')] : [],
+  dhParamPath: getFile('/run/secrets/dhparam.pem')
 }
diff --git a/lib/config/environment.js b/lib/config/environment.js
index cab3bc3e..3dde4786 100644
--- a/lib/config/environment.js
+++ b/lib/config/environment.js
@@ -26,6 +26,8 @@ module.exports = {
   allowFreeURL: toBooleanConfig(process.env.HMD_ALLOW_FREEURL),
   defaultPermission: process.env.HMD_DEFAULT_PERMISSION,
   dbURL: process.env.HMD_DB_URL,
+  sessionSecret: process.env.HMD_SESSION_SECRET,
+  sessionLife: toIntegerConfig(process.env.HMD_SESSION_LIFE),
   imageUploadType: process.env.HMD_IMAGE_UPLOAD_TYPE,
   imgur: {
     clientID: process.env.HMD_IMGUR_CLIENTID
diff --git a/lib/config/index.js b/lib/config/index.js
index fae51e52..bdba5e0e 100644
--- a/lib/config/index.js
+++ b/lib/config/index.js
@@ -1,6 +1,7 @@
 
 'use strict'
 
+const crypto = require('crypto')
 const fs = require('fs')
 const path = require('path')
 const {merge} = require('lodash')
@@ -52,7 +53,7 @@ if (config.ldap.tlsca) {
 
 // Permission
 config.permission = Permission
-if (!config.allowAnonymous && !config.allowAnonymousedits) {
+if (!config.allowAnonymous && !config.allowAnonymousEdits) {
   delete config.permission.freely
 }
 if (!(config.defaultPermission in config.permission)) {
@@ -110,13 +111,21 @@ for (let i = keys.length; i--;) {
   // and the config with uppercase is not set
   // we set the new config using the old key.
   if (uppercase.test(keys[i]) &&
-  config[lowercaseKey] &&
-  !config[keys[1]]) {
+  config[lowercaseKey] !== undefined &&
+  fileConfig[keys[i]] === undefined) {
     logger.warn('config.js contains deprecated lowercase setting for ' + keys[i] + '. Please change your config.js file to replace ' + lowercaseKey + ' with ' + keys[i])
     config[keys[i]] = config[lowercaseKey]
   }
 }
 
+// Generate session secret if it stays on default values
+if (config.sessionSecret === 'secret') {
+  logger.warn('Session secret not set. Using random generated one. Please set `sessionSecret` in your config.js file. All users will be logged out.')
+  config.sessionSecret = crypto.randomBytes(Math.ceil(config.sessionSecretLen / 2)) // generate crypto graphic random number
+        .toString('hex')                                                            // convert to hexadecimal format
+        .slice(0, config.sessionSecretLen)                                           // return required number of characters
+}
+
 // Validate upload upload providers
 if (['filesystem', 's3', 'minio', 'imgur'].indexOf(config.imageUploadType) === -1) {
   logger.error('"imageuploadtype" is not correctly set. Please use "filesystem", "s3", "minio" or "imgur". Defaulting to "imgur"')