From 161b1a8af1ee89155e42a167380c97a6384756a5 Mon Sep 17 00:00:00 2001 From: Andrew Godwin Date: Wed, 28 Dec 2022 11:27:08 -0700 Subject: [PATCH] Don't permit autogenerated secret keys in prod Fixes #300 --- takahe/settings.py | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/takahe/settings.py b/takahe/settings.py index e93d82e..5a26596 100644 --- a/takahe/settings.py +++ b/takahe/settings.py @@ -72,7 +72,7 @@ class Settings(BaseSettings): #: Set a secret key used for signing values such as sessions. Randomized #: by default, so you'll logout everytime the process restarts. - SECRET_KEY: str = Field(default_factory=lambda: secrets.token_hex(128)) + SECRET_KEY: str = Field(default_factory=lambda: "autokey-" + secrets.token_hex(128)) #: Set a secret key used to protect the stator. Randomized by default. STATOR_TOKEN: str = Field(default_factory=lambda: secrets.token_hex(128)) @@ -173,6 +173,10 @@ class Settings(BaseSettings): SETUP = Settings() +# Don't allow automatic keys in production +if SETUP.DEBUG and SETUP.SECRET_KEY.startswith("autokey-"): + print("You must set TAKAHE_SECRET_KEY in production") + sys.exit(1) SECRET_KEY = SETUP.SECRET_KEY DEBUG = SETUP.DEBUG