Require cookie signing secret in configuration instead of using hard coded secret

src/config.rs

@@ -15,6 +15,7 @@ pub struct Config {
     pub template: Option<String>,
     pub no_contest_scan: Option<bool>,
     pub open_browser: Option<bool>,
+    pub cookie_signing_secret: Option<String>,
 }
 
 #[derive(StructOpt, Debug)]

src/main.rs

@@ -316,6 +316,7 @@ mod tests {
 
             let mut config = config::read_config_from_file(Path::new("thisfileshoudnotexist"));
             config.port = Some(port);
+            config.cookie_signing_secret = Some("testtesttesttesttesttesttesttest".to_string());
             let mut srvr = start_server(conn, config).expect(&format!("Could not start server on port {}", port));
 
             // Message server started

src/webfw_iron.rs

@@ -904,9 +904,6 @@ pub fn start_server<C>(conn: C, config: Config) -> iron::error::HttpResult<iron:
         debug_create: get "/debug/create" => debug_create_session::<C>,
     );
 
-    // TODO: how important is this? Should this be in the config? Or should this be autogenerated and saved to disk?
-    let my_secret = b"verysecret".to_vec();
-
     let mut mount = Mount::new();
 
     // Serve the shared JS/CSS at /
@@ -923,7 +920,7 @@ pub fn start_server<C>(conn: C, config: Config) -> iron::error::HttpResult<iron:
     ch.link(Write::<SharedConfiguration>::both(config.clone()));
 
     ch.link_around(CookieDistributor {});
-    ch.link_around(SessionStorage::new(SignedCookieBackend::new(my_secret)));
+    ch.link_around(SessionStorage::new(SignedCookieBackend::new(config.cookie_signing_secret.expect("Cookie signing secret not found in configuration").into_bytes())));
 
     ch.link_after(get_handlebars_engine(&config.template.unwrap_or_else(|| "default".to_string())));
     ch.link_after(ErrorReporter);