Set the SECRET_KEY default value back to "---"

Previously, I had changed the default value to "", to force users to set the SECRET_KEY value (the app refuses to start if SECRET_KEY is empty). The problem with that is, out of the box, with the default configuration, the tests also don't run and complain about the empty SECRET_KEY. So, a compromise: revert back to the default value "---". At runtime, if SECRET_KEY has the default value, show a warning at the top of every page.
2021-01-28 15:38:14 +02:00 · 2021-01-28 15:38:14 +02:00 · 45078e6566
commit 45078e6566
parent dc39831aef
6 changed files with 26 additions and 8 deletions
--- a/docker/.env
+++ b/docker/.env
@ -38,7 +38,7 @@ PUSHOVER_SUBSCRIPTION_URL=
 REGISTRATION_OPEN=True
 REMOTE_USER_HEADER=
 RP_ID=
-SECRET_KEY=
+SECRET_KEY=---
 SHELL_ENABLED=False
 SIGNAL_CLI_ENABLED=False
 SITE_NAME=Mychecks
--- a/hc/front/templatetags/hc_extras.py
+++ b/hc/front/templatetags/hc_extras.py
@ -70,6 +70,15 @@ def debug_warning():
        """
        )

+    if settings.SECRET_KEY == "---":
+        return mark_safe(
+            """
+            <div id="debug-warning">
+            Running with an insecure SECRET_KEY value, do not use in production.
+            </div>
+        """
+        )
+
    return ""


--- a/hc/front/tests/test_basics.py
+++ b/hc/front/tests/test_basics.py
@ -3,15 +3,22 @@ from django.test.utils import override_settings


 class BasicsTestCase(TestCase):
+    @override_settings(DEBUG=False, SECRET_KEY="abc")
    def test_it_shows_welcome(self):
        r = self.client.get("/")
        self.assertContains(r, "Get Notified", status_code=200)
        self.assertNotContains(r, "do not use in production")

-    @override_settings(DEBUG=True)
+    @override_settings(DEBUG=True, SECRET_KEY="abc")
    def test_it_shows_debug_warning(self):
        r = self.client.get("/")
-        self.assertContains(r, "do not use in production")
+        self.assertContains(r, "Running in debug mode")
+
+    @override_settings(DEBUG=False, SECRET_KEY="---")
+    def test_it_shows_secret_key_warning(self):
+        r = self.client.get("/")
+        self.assertContains(r, "Get Notified", status_code=200)
+        self.assertContains(r, "Running with an insecure SECRET_KEY value")

    @override_settings(REGISTRATION_OPEN=False)
    def test_it_obeys_registration_open(self):
--- a/hc/settings.py
+++ b/hc/settings.py
@ -26,7 +26,7 @@ def envint(s, default):
    return int(v)


-SECRET_KEY = os.getenv("SECRET_KEY", "")
+SECRET_KEY = os.getenv("SECRET_KEY", "---")
 METRICS_KEY = os.getenv("METRICS_KEY")
 DEBUG = envbool("DEBUG", "True")
 ALLOWED_HOSTS = os.getenv("ALLOWED_HOSTS", "*").split(",")
--- a/templates/docs/self_hosted_configuration.html
+++ b/templates/docs/self_hosted_configuration.html
@ -230,8 +230,9 @@ if your site runs on <code>https://my-hc.example.org</code>, set <code>RP_ID</co
 locally with a self-signed certificate, you can use the <code>runsslserver</code> command
 from the <code>django-sslserver</code> package.</p>
 <h2 id="SECRET_KEY"><code>SECRET_KEY</code></h2>
-<p>Default: <code>""</code> (empty string)</p>
-<p>A secret key used for cryptographic signing.</p>
+<p>Default: <code>---</code></p>
+<p>A secret key used for cryptographic signing, and should be set to a unique,
+unpredictable value.</p>
 <p>This is a standard Django setting, read more in
 <a href="https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key">Django documentation</a>.</p>
 <h2 id="SHELL_ENABLED"><code>SHELL_ENABLED</code></h2>
--- a/templates/docs/self_hosted_configuration.md
+++ b/templates/docs/self_hosted_configuration.md
@ -370,9 +370,10 @@ from the `django-sslserver` package.

 ## `SECRET_KEY` {: #SECRET_KEY }

-Default: `""` (empty string)
+Default: `---`

-A secret key used for cryptographic signing.
+A secret key used for cryptographic signing, and should be set to a unique,
+unpredictable value.

 This is a standard Django setting, read more in
 [Django documentation](https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key).