Different keys for session and csrf checking middleware, some comments in compose yml and .env

2023-03-24 19:00:31 +04:00 · 2023-03-24 19:00:31 +04:00 · 3b588d2da5
commit 3b588d2da5
parent edbf0233ba
4 changed files with 39 additions and 23 deletions
--- a/.env
+++ b/.env
@ -2,7 +2,10 @@ APP_HOST=0.0.0.0
 APP_PORT=8000

 # Generate a strong secret key
-# On Linux: openssl rand -hex 32
+#
+# On Linux: tr -dc A-Za-z0-9_- </dev/urandom | head -c 44
+# With Python: import secrets; secrets.token_urlsafe(32)
+#
 # If this variable is not set,
 # the key is generated automatically
 #SECRET_KEY=secret
--- a/app/common.py
+++ b/app/common.py
@ -1,5 +1,6 @@
 import secrets
 from pathlib import Path
+from typing import Literal

 from fastapi.templating import Jinja2Templates
 from pydantic import BaseSettings
@ -14,12 +15,16 @@ static_dir = str(file_dir.parent / 'static')
 # Main configuration
 class Settings(BaseSettings):
    debug: bool = False
-    secret_key: str = 'secret'
+    session_key: str = 'secret'
+    csrf_key: str = 'secret'
    app_host: str = '127.0.0.1'
    app_port: int = 8000


-# Instantiate Settings class
+# Type alias for secret keys settings fields
+SecretKey = Literal['session_key', 'csrf_key']
+
+# Settings class instantiating
 settings = Settings()

 # Jinja templates handler
@ -28,26 +33,30 @@ templates = Jinja2Templates(
 )


-def secret_key_check() -> None:
+def secret_key_check(name: SecretKey) -> None:
    """Generates a secret key automatically
-    if the env var `secret_key` is not set
+    if an environment variable is not set
    or contains text `secret`"""

-    if settings.secret_key == 'secret':
+    settings_dict = settings.dict()
+    if settings_dict.get(name) != 'secret':
+        return

-        key_file = Path('/tmp/secret_key')
+    key_file = Path(f'/tmp/{name}')

-        if key_file.exists():
-            with key_file.open('rt') as f:
-                secret_key = f.read()
+    if key_file.exists():
+        with key_file.open('rt') as f:
+            key = f.read()

-        else:
-            secret_key = secrets.token_hex(32)
-            with key_file.open('wt') as f:
-                f.write(secret_key)
+    else:
+        key = secrets.token_hex(32)
+        with key_file.open('wt') as f:
+            f.write(key)

-        settings.secret_key = secret_key
+    settings_dict[name] = key


-# Call the function
-secret_key_check()
+# Calling the function
+# for session and CSRF keys
+secret_key_check('session_key')
+secret_key_check('csrf_key')
--- a/app/main.py
+++ b/app/main.py
@ -42,9 +42,9 @@ for p in paths:
 # Add WTForms CSRF protection middlewares
 app.add_middleware(
    SessionMiddleware,
-    secret_key=common.settings.secret_key,
+    secret_key=common.settings.session_key,
 )
 app.add_middleware(
    CSRFProtectMiddleware,
-    csrf_secret=common.settings.secret_key,
+    csrf_secret=common.settings.csrf_key,
 )
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -2,20 +2,20 @@ version: "3"

 services:

-  ${REPO_NAME_SNAKE}:
+  app:
    image: ${REPO_OWNER_LOWER}/${REPO_NAME_SNAKE}:latest
    container_name: ${REPO_NAME_SNAKE}
    restart: unless-stopped
    ports:
      - "8080:8000"
    links:
-      - ${REPO_NAME_SNAKE}_db
+      - database
    env_file: .env
    depends_on:
-      ${REPO_NAME_SNAKE}_db:
+      database:
        condition: service_healthy

-  ${REPO_NAME_SNAKE}_db:
+  database:
    image: mariadb:latest
    container_name: ${REPO_NAME_SNAKE}_db
    restart: unless-stopped
@ -29,5 +29,9 @@ services:
      timeout: 3s
      retries: 20

+# Comment or remove these lines and
+# edit `volumes` in services->database
+# if you are going to store
+# your DB in a directory
 volumes:
  db_data: