diff --git a/docker/.env b/docker/.env index b9d7625f..161796e6 100644 --- a/docker/.env +++ b/docker/.env @@ -38,7 +38,7 @@ PUSHOVER_SUBSCRIPTION_URL= REGISTRATION_OPEN=True REMOTE_USER_HEADER= RP_ID= -SECRET_KEY= +SECRET_KEY=--- SHELL_ENABLED=False SIGNAL_CLI_ENABLED=False SITE_NAME=Mychecks diff --git a/hc/front/templatetags/hc_extras.py b/hc/front/templatetags/hc_extras.py index c440627b..145f825c 100644 --- a/hc/front/templatetags/hc_extras.py +++ b/hc/front/templatetags/hc_extras.py @@ -70,6 +70,15 @@ def debug_warning(): """ ) + if settings.SECRET_KEY == "---": + return mark_safe( + """ +
+ Running with an insecure SECRET_KEY value, do not use in production. +
+ """ + ) + return "" diff --git a/hc/front/tests/test_basics.py b/hc/front/tests/test_basics.py index fd3cbbaf..c1d20f74 100644 --- a/hc/front/tests/test_basics.py +++ b/hc/front/tests/test_basics.py @@ -3,15 +3,22 @@ from django.test.utils import override_settings class BasicsTestCase(TestCase): + @override_settings(DEBUG=False, SECRET_KEY="abc") def test_it_shows_welcome(self): r = self.client.get("/") self.assertContains(r, "Get Notified", status_code=200) self.assertNotContains(r, "do not use in production") - @override_settings(DEBUG=True) + @override_settings(DEBUG=True, SECRET_KEY="abc") def test_it_shows_debug_warning(self): r = self.client.get("/") - self.assertContains(r, "do not use in production") + self.assertContains(r, "Running in debug mode") + + @override_settings(DEBUG=False, SECRET_KEY="---") + def test_it_shows_secret_key_warning(self): + r = self.client.get("/") + self.assertContains(r, "Get Notified", status_code=200) + self.assertContains(r, "Running with an insecure SECRET_KEY value") @override_settings(REGISTRATION_OPEN=False) def test_it_obeys_registration_open(self): diff --git a/hc/settings.py b/hc/settings.py index 94fae727..a8427596 100644 --- a/hc/settings.py +++ b/hc/settings.py @@ -26,7 +26,7 @@ def envint(s, default): return int(v) -SECRET_KEY = os.getenv("SECRET_KEY", "") +SECRET_KEY = os.getenv("SECRET_KEY", "---") METRICS_KEY = os.getenv("METRICS_KEY") DEBUG = envbool("DEBUG", "True") ALLOWED_HOSTS = os.getenv("ALLOWED_HOSTS", "*").split(",") diff --git a/templates/docs/self_hosted_configuration.html b/templates/docs/self_hosted_configuration.html index 8c72d3e4..b7f78507 100644 --- a/templates/docs/self_hosted_configuration.html +++ b/templates/docs/self_hosted_configuration.html @@ -230,8 +230,9 @@ if your site runs on https://my-hc.example.org, set RP_IDrunsslserver command from the django-sslserver package.

SECRET_KEY

-

Default: "" (empty string)

-

A secret key used for cryptographic signing.

+

Default: ---

+

A secret key used for cryptographic signing, and should be set to a unique, +unpredictable value.

This is a standard Django setting, read more in Django documentation.

SHELL_ENABLED

diff --git a/templates/docs/self_hosted_configuration.md b/templates/docs/self_hosted_configuration.md index 9f58089c..b2f2b71e 100644 --- a/templates/docs/self_hosted_configuration.md +++ b/templates/docs/self_hosted_configuration.md @@ -370,9 +370,10 @@ from the `django-sslserver` package. ## `SECRET_KEY` {: #SECRET_KEY } -Default: `""` (empty string) +Default: `---` -A secret key used for cryptographic signing. +A secret key used for cryptographic signing, and should be set to a unique, +unpredictable value. This is a standard Django setting, read more in [Django documentation](https://docs.djangoproject.com/en/3.1/ref/settings/#secret-key).