From bc70a0b2775bb531dbfb3d2be53e9189e2b36881 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 13 Apr 2026 13:12:04 +0200
Subject: [PATCH 1/5] fix login

---
 crates/defguard/src/main.rs          |  7 +++----
 crates/defguard_common/src/config.rs | 19 -------------------
 2 files changed, 3 insertions(+), 23 deletions(-)

diff --git a/crates/defguard/src/main.rs b/crates/defguard/src/main.rs
index 1e72f79fe..2d45e63ba 100644
--- a/crates/defguard/src/main.rs
+++ b/crates/defguard/src/main.rs
@@ -64,7 +64,7 @@ async fn main() -> Result<(), anyhow::Error> {
     if dotenvy::from_filename(".env.local").is_err() {
         dotenvy::dotenv().ok();
     }
-    let mut config = DefGuardConfig::new();
+    let config = DefGuardConfig::new();
     let log_filter = format!(
         "{},defguard_core::handlers::component_setup=debug,defguard_setup::auto_adoption=debug",
         config.log_level
@@ -142,6 +142,8 @@ async fn main() -> Result<(), anyhow::Error> {
     let wizard = Wizard::init(&pool, has_auto_adopt_flags, &config).await?;
 
     Settings::initialize_runtime_defaults(&pool).await?;
+    SERVER_CONFIG.set(config.clone()).ok();
+
     if !wizard.completed {
         match wizard.active_wizard {
             ActiveWizard::None => {}
@@ -186,9 +188,6 @@ async fn main() -> Result<(), anyhow::Error> {
     })?;
     update_current_settings(&pool, settings).await?;
 
-    config.initialize_post_settings();
-    SERVER_CONFIG.set(config.clone()).ok();
-
     let settings = Settings::get_current_settings();
 
     // create event channels for services
diff --git a/crates/defguard_common/src/config.rs b/crates/defguard_common/src/config.rs
index df42c6a20..74d0adee7 100644
--- a/crates/defguard_common/src/config.rs
+++ b/crates/defguard_common/src/config.rs
@@ -305,14 +305,6 @@ impl DefGuardConfig {
         }
     }
 
-    /// Initialize values that depend on Settings.
-    pub fn initialize_post_settings(&mut self) {
-        if self.cookie_domain.is_none() {
-            let settings = Settings::get_current_settings();
-            self.cookie_domain = settings.cookie_domain().ok();
-        }
-    }
-
     /// Try PKCS#1 and PKCS#8 PEM formats.
     fn parse_openid_key(path: &str) -> Result<RsaPrivateKey, rsa::pkcs8::Error> {
         if let Ok(key) = RsaPrivateKey::read_pkcs1_pem_file(path) {
@@ -352,17 +344,6 @@ mod tests {
         DefGuardConfig::command().debug_assert();
     }
 
-    #[test]
-    fn test_cookie_domain_env_override() {
-        unsafe {
-            env::set_var("DEFGUARD_COOKIE_DOMAIN", "example.com");
-        }
-
-        let config = DefGuardConfig::new();
-
-        assert_eq!(config.cookie_domain, Some("example.com".to_string()));
-    }
-
     fn make_config(adopt_edge: Option<&str>, adopt_gateway: Option<&str>) -> DefGuardConfig {
         let mut config = DefGuardConfig::new_test_config();
         config.adopt_edge = adopt_edge.map(str::to_string);

From ee305313ba6bff08c9403c5d22ab5bd3038ef301 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 13 Apr 2026 13:20:01 +0200
Subject: [PATCH 2/5] Update config.rs

---
 crates/defguard_common/src/config.rs | 2 --
 1 file changed, 2 deletions(-)

diff --git a/crates/defguard_common/src/config.rs b/crates/defguard_common/src/config.rs
index 74d0adee7..ef1a96234 100644
--- a/crates/defguard_common/src/config.rs
+++ b/crates/defguard_common/src/config.rs
@@ -334,8 +334,6 @@ impl Default for DefGuardConfig {
 
 #[cfg(test)]
 mod tests {
-    use std::env;
-
     use super::*;
 
     #[test]

From 9c314601aeac1b20b3cc126204115978d42bc6fb Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 13 Apr 2026 13:37:30 +0200
Subject: [PATCH 3/5] clippy

---
 crates/defguard_core/tests/integration/common.rs | 1 -
 crates/defguard_setup/tests/common/mod.rs        | 1 -
 2 files changed, 2 deletions(-)

diff --git a/crates/defguard_core/tests/integration/common.rs b/crates/defguard_core/tests/integration/common.rs
index bdd7e24e4..7e2c1e651 100644
--- a/crates/defguard_core/tests/integration/common.rs
+++ b/crates/defguard_core/tests/integration/common.rs
@@ -41,7 +41,6 @@ pub(crate) async fn init_config(
         .expect("Could not update current settings in the database");
     set_test_license_business();
 
-    config.initialize_post_settings();
     let _ = SERVER_CONFIG.set(config.clone());
     config
 }
diff --git a/crates/defguard_setup/tests/common/mod.rs b/crates/defguard_setup/tests/common/mod.rs
index dc692d899..e65650772 100644
--- a/crates/defguard_setup/tests/common/mod.rs
+++ b/crates/defguard_setup/tests/common/mod.rs
@@ -141,7 +141,6 @@ pub async fn init_settings_with_secret_key(pool: &PgPool) {
 
     let mut config = DefGuardConfig::new_test_config();
     config.cookie_insecure = Some(true);
-    config.initialize_post_settings();
     let _ = SERVER_CONFIG.set(config);
 }
 

From 2a33aebd8bd6b6bdd645512276804b142d91b46b Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 13 Apr 2026 14:23:14 +0200
Subject: [PATCH 4/5] Update common.rs

---
 crates/defguard_core/tests/integration/common.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/defguard_core/tests/integration/common.rs b/crates/defguard_core/tests/integration/common.rs
index 7e2c1e651..ec07ae227 100644
--- a/crates/defguard_core/tests/integration/common.rs
+++ b/crates/defguard_core/tests/integration/common.rs
@@ -29,7 +29,7 @@ pub(crate) async fn init_config(
 ) -> DefGuardConfig {
     let url = custom_defguard_url.unwrap_or("http://localhost:8000");
     let test_secret_key = "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef";
-    let mut config = DefGuardConfig::new_test_config();
+    let config = DefGuardConfig::new_test_config();
     initialize_current_settings(pool)
         .await
         .expect("Could not initialize current settings in the database");

From 38da03349317854ac7b1fe1e0b800bc0d84ac6f5 Mon Sep 17 00:00:00 2001
From: Aleksander <170264518+t-aleksander@users.noreply.github.com>
Date: Mon, 13 Apr 2026 14:49:51 +0200
Subject: [PATCH 5/5] ignore

---
 deny.toml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/deny.toml b/deny.toml
index 2877aa45e..24fd826f7 100644
--- a/deny.toml
+++ b/deny.toml
@@ -72,6 +72,7 @@ feature-depth = 1
 ignore = [
     { id = "RUSTSEC-2023-0071", reason = "https://github.com/RustCrypto/RSA/issues/19" },
     { id = "RUSTSEC-2024-0436", reason = "Unmaintained dependency of tera" },
+    { id = "RUSTSEC-2026-0097", reason = "Unsound rand 0.8.5 advisory; silenced until jsonwebtoken upgrades their dependencies" },
 ]
 # If this is true, then cargo deny will use the git executable to fetch advisory database.
 # If this is false, then it uses a built-in git library.