Don't permit autogenerated secret keys in prod

Fixes #300
2022-12-28 11:27:08 -07:00 · 2022-12-28 11:27:08 -07:00 · 161b1a8af1
parent 4df4f19856
commit 161b1a8af1
1 changed files with 5 additions and 1 deletions
--- a/takahe/settings.py
+++ b/takahe/settings.py
@ -72,7 +72,7 @@ class Settings(BaseSettings):

    #: Set a secret key used for signing values such as sessions. Randomized
    #: by default, so you'll logout everytime the process restarts.
-    SECRET_KEY: str = Field(default_factory=lambda: secrets.token_hex(128))
+    SECRET_KEY: str = Field(default_factory=lambda: "autokey-" + secrets.token_hex(128))

    #: Set a secret key used to protect the stator. Randomized by default.
    STATOR_TOKEN: str = Field(default_factory=lambda: secrets.token_hex(128))
@ -173,6 +173,10 @@ class Settings(BaseSettings):

 SETUP = Settings()

+# Don't allow automatic keys in production
+if SETUP.DEBUG and SETUP.SECRET_KEY.startswith("autokey-"):
+    print("You must set TAKAHE_SECRET_KEY in production")
+    sys.exit(1)
 SECRET_KEY = SETUP.SECRET_KEY
 DEBUG = SETUP.DEBUG