PY secret fix

v-geberr · v-geberr · commit 6fdf4266ebd8 · 2023-03-22T15:25:30.000-07:00
diff --git a/.env.sample b/.env.sample
@@ -2,4 +2,5 @@ FLASK_DEBUG=True
 DBNAME=<database name>
 DBHOST=<database-hostname>
 DBUSER=<db-user-name>
-DBPASS=<db-password>
+DBPASS=<db-password>
+SECRET_KEY=<secret key>
diff --git a/README.md b/README.md
@@ -39,13 +39,18 @@ Steps for running the server:
 
 3. Create an `.env` file using `.env.sample` as a guide. Set the value of `DBNAME` to the name of an existing database in your local PostgreSQL instance. Set the values of `DBHOST`, `DBUSER`, and `DBPASS` as appropriate for your local PostgreSQL instance. If you're in the devcontainer, copy the values from `.env.sample.devcontainer`.
 
-4. Run the migrations:
+4. In the `.env` file, fill in a secret value for `SECRET_KEY`. You can use this command to generate an appropriate value:
+
+    ```shell
+    python -c 'import secrets; print(secrets.token_hex())'
+
+5. Run the migrations:
 
     ```shell
     python3 -m flask db upgrade
     ```
 
-5. Run the local server: (or use VS Code "Run" button and select "Run server")
+6. Run the local server: (or use VS Code "Run" button and select "Run server")
 
     ```shell
     python3 -m flask run
diff --git a/azureproject/production.py b/azureproject/production.py
@@ -1,7 +1,7 @@
 import os
 
 # SECURITY WARNING: keep the secret key used in production secret!
-SECRET_KEY = os.getenv('SECRET_KEY', 'flask-insecure-7ppocbnx@w71dcuinn*t^_mzal(t@o01v3fee27g%rg18fc5d@')
+SECRET_KEY = os.getenv('SECRET_KEY')
 
 ALLOWED_HOSTS = [os.environ['WEBSITE_HOSTNAME']] if 'WEBSITE_HOSTNAME' in os.environ else []
 CSRF_TRUSTED_ORIGINS = ['https://' + os.environ['WEBSITE_HOSTNAME']] if 'WEBSITE_HOSTNAME' in os.environ else []
