Avoid polluting the config (#25345) (#25354)

Backport #25345 by @wxiaoguang

Caught by #25330

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

1 files changed, 14 insertions, 12 deletions

diff --git a/modules/setting/oauth2.go b/modules/setting/oauth2.go
index 4dab468c10..836a2bb25f 100644
--- a/modules/setting/oauth2.go
+++ b/modules/setting/oauth2.go
@@ -120,18 +120,20 @@ func loadOAuth2From(rootCfg ConfigProvider) {
 		OAuth2.JWTSigningPrivateKeyFile = filepath.Join(AppDataPath, OAuth2.JWTSigningPrivateKeyFile)
 	}
 
-	key := make([]byte, 32)
-	n, err := base64.RawURLEncoding.Decode(key, []byte(OAuth2.JWTSecretBase64))
-	if err != nil || n != 32 {
-		key, err = generate.NewJwtSecret()
-		if err != nil {
-			log.Fatal("error generating JWT secret: %v", err)
-		}
-
-		secretBase64 := base64.RawURLEncoding.EncodeToString(key)
-		rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64)
-		if err := rootCfg.Save(); err != nil {
-			log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
+	if InstallLock {
+		key := make([]byte, 32)
+		n, err := base64.RawURLEncoding.Decode(key, []byte(OAuth2.JWTSecretBase64))
+		if err != nil || n != 32 {
+			key, err = generate.NewJwtSecret()
+			if err != nil {
+				log.Fatal("error generating JWT secret: %v", err)
+			}
+
+			secretBase64 := base64.RawURLEncoding.EncodeToString(key)
+			rootCfg.Section("oauth2").Key("JWT_SECRET").SetValue(secretBase64)
+			if err := rootCfg.Save(); err != nil {
+				log.Fatal("save oauth2.JWT_SECRET failed: %v", err)
+			}
 		}
 	}
 }