Browse Source

Merge pull request #2399 from davidism/docs-secret-key

clean up secret key docs
pull/2409/head
David Lord 8 years ago committed by GitHub
parent
commit
d13e41ddef
  1. 12
      docs/api.rst
  2. 8
      docs/config.rst
  3. 2
      docs/patterns/flashing.rst
  4. 21
      docs/quickstart.rst
  5. 8
      docs/tutorial/setup.rst
  6. 2
      examples/flaskr/flaskr/factory.py
  7. 2
      examples/minitwit/minitwit/minitwit.py
  8. 2
      flask/app.py
  9. 7
      tests/conftest.py
  10. 2
      tests/static/config.json
  11. 24
      tests/test_basic.py
  12. 13
      tests/test_config.py
  13. 5
      tests/test_signals.py
  14. 2
      tests/test_templating.py
  15. 6
      tests/test_testing.py

12
docs/api.rst

@ -103,12 +103,12 @@ Response Objects
Sessions
--------
If you have the :attr:`Flask.secret_key` set you can use sessions in Flask
applications. A session basically makes it possible to remember
information from one request to another. The way Flask does this is by
using a signed cookie. So the user can look at the session contents, but
not modify it unless they know the secret key, so make sure to set that
to something complex and unguessable.
If you have set :attr:`Flask.secret_key` (or configured it from
:data:`SECRET_KEY`) you can use sessions in Flask applications. A session makes
it possible to remember information from one request to another. The way Flask
does this is by using a signed cookie. The user can look at the session
contents, but can't modify it unless they know the secret key, so make sure to
set that to something complex and unguessable.
To access the current session you can use the :class:`session` object:

8
docs/config.rst

@ -39,7 +39,7 @@ method::
app.config.update(
DEBUG=True,
SECRET_KEY='...'
SECRET_KEY=b'_5#y2L"F4Q8z\n\xec]/'
)
.. admonition:: Debug Mode with the ``flask`` Script
@ -367,7 +367,7 @@ Here is an example of a configuration file::
# Example configuration
DEBUG = False
SECRET_KEY = '?\xbf,\xb4\x8d\xa3"<\x9c\xb0@\x0f5\xab,w\xee\x8d$0\x13\x8b83'
SECRET_KEY = b'_5#y2L"F4Q8z\n\xec]/'
Make sure to load the configuration very early on, so that extensions have
the ability to access the configuration when starting up. There are other
@ -385,7 +385,7 @@ from the environment.
Environment variables can be set on Linux or OS X with the export command in
the shell before starting the server::
$ export SECRET_KEY='?\xbf,\xb4\x8d\xa3"<\x9c\xb0@\x0f5\xab,w\xee\x8d$0\x13\x8b83'
$ export SECRET_KEY='5f352379324c22463451387a0aec5d2f'
$ export DEBUG=False
$ python run-app.py
* Running on http://127.0.0.1:5000/
@ -393,7 +393,7 @@ the shell before starting the server::
On Windows systems use the `set` builtin instead::
>set SECRET_KEY='?\xbf,\xb4\x8d\xa3"<\x9c\xb0@\x0f5\xab,w\xee\x8d$0\x13\x8b83'
>set SECRET_KEY='5f352379324c22463451387a0aec5d2f'
>set DEBUG=False
While this approach is straightforward to use, it is important to remember that

2
docs/patterns/flashing.rst

@ -22,7 +22,7 @@ So here is a full example::
request, url_for
app = Flask(__name__)
app.secret_key = 'some_secret'
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
@app.route('/')
def index():

21
docs/quickstart.rst

@ -724,6 +724,9 @@ sessions work::
app = Flask(__name__)
# Set the secret key to some random bytes. Keep this really secret!
app.secret_key = b'_5#y2L"F4Q8z\n\xec]/'
@app.route('/')
def index():
if 'username' in session:
@ -748,24 +751,18 @@ sessions work::
session.pop('username', None)
return redirect(url_for('index'))
# set the secret key. keep this really secret:
app.secret_key = 'A0Zr98j/3yX R~XHH!jmN]LWX/,?RT'
The :func:`~flask.escape` mentioned here does escaping for you if you are
not using the template engine (as in this example).
.. admonition:: How to generate good secret keys
The problem with random is that it's hard to judge what is truly random. And
a secret key should be as random as possible. Your operating system
has ways to generate pretty random stuff based on a cryptographic
random generator which can be used to get such a key::
>>> import os
>>> os.urandom(24)
'\xfd{H\xe5<\x95\xf9\xe3\x96.5\xd1\x01O<!\xd5\xa2\xa0\x9fR"\xa1\xa8'
A secret key should be as random as possible. Your operating system has
ways to generate pretty random data based on a cryptographic random
generator. Use the following command to quickly generate a value for
:attr:`Flask.secret_key` (or :data:`SECRET_KEY`)::
Just take that thing and copy/paste it into your code and you're done.
$ python -c 'import os; print(os.urandom(16))'
b'_5#y2L"F4Q8z\n\xec]/'
A note on cookie-based sessions: Flask will take the values you put into the
session object and serialize them into a cookie. If you are finding some

8
docs/tutorial/setup.rst

@ -33,12 +33,12 @@ initialize it with the config from the same file in :file:`flaskr.py`::
app.config.from_object(__name__) # load config from this file , flaskr.py
# Load default config and override config from an environment variable
app.config.update(dict(
app.config.update(
DATABASE=os.path.join(app.root_path, 'flaskr.db'),
SECRET_KEY='development key',
SECRET_KEY=b'_5#y2L"F4Q8z\n\xec]/',
USERNAME='admin',
PASSWORD='default'
))
)
app.config.from_envvar('FLASKR_SETTINGS', silent=True)
In the above code, the :class:`~flask.Config` object works similarly to a
@ -77,7 +77,7 @@ method on the config object and provide it with an import name of a
module. Flask will then initialize the variable from that module. Note
that in all cases, only variable names that are uppercase are considered.
The ``SECRET_KEY`` is needed to keep the client-side sessions secure.
The :data:`SECRET_KEY` is needed to keep the client-side sessions secure.
Choose that key wisely and as hard to guess and complex as possible.
Lastly, add a method that allows for easy connections to the specified

2
examples/flaskr/flaskr/factory.py

@ -22,7 +22,7 @@ def create_app(config=None):
app.config.update(dict(
DATABASE=os.path.join(app.root_path, 'flaskr.db'),
DEBUG=True,
SECRET_KEY='development key',
SECRET_KEY=b'_5#y2L"F4Q8z\n\xec]/',
USERNAME='admin',
PASSWORD='default'
))

2
examples/minitwit/minitwit/minitwit.py

@ -22,7 +22,7 @@ from werkzeug import check_password_hash, generate_password_hash
DATABASE = '/tmp/minitwit.db'
PER_PAGE = 30
DEBUG = True
SECRET_KEY = 'development key'
SECRET_KEY = b'_5#y2L"F4Q8z\n\xec]/'
# create our little application :)
app = Flask('minitwit')

2
flask/app.py

@ -225,7 +225,7 @@ class Flask(_PackageBoundObject):
#: when you want to use the secure cookie for instance.
#:
#: This attribute can also be configured from the config with the
#: ``SECRET_KEY`` configuration key. Defaults to ``None``.
#: :data:`SECRET_KEY` configuration key. Defaults to ``None``.
secret_key = ConfigAttribute('SECRET_KEY')
#: The secure cookie uses this for the name of the session cookie.

7
tests/conftest.py

@ -18,12 +18,7 @@ from flask import Flask as _Flask
class Flask(_Flask):
testing = True
secret_key = __name__
def make_response(self, rv):
if rv is None:
rv = ''
return super(Flask, self).make_response(rv)
secret_key = 'test key'
@pytest.fixture

2
tests/static/config.json

@ -1,4 +1,4 @@
{
"TEST_KEY": "foo",
"SECRET_KEY": "devkey"
"SECRET_KEY": "config"
}

24
tests/test_basic.py

@ -220,8 +220,6 @@ def test_endpoint_decorator(app, client):
def test_session(app, client):
app.secret_key = 'testkey'
@app.route('/set', methods=['POST'])
def set():
flask.session['value'] = flask.request.form['value']
@ -237,7 +235,6 @@ def test_session(app, client):
def test_session_using_server_name(app, client):
app.config.update(
SECRET_KEY='foo',
SERVER_NAME='example.com'
)
@ -253,7 +250,6 @@ def test_session_using_server_name(app, client):
def test_session_using_server_name_and_port(app, client):
app.config.update(
SECRET_KEY='foo',
SERVER_NAME='example.com:8080'
)
@ -269,7 +265,6 @@ def test_session_using_server_name_and_port(app, client):
def test_session_using_server_name_port_and_path(app, client):
app.config.update(
SECRET_KEY='foo',
SERVER_NAME='example.com:8080',
APPLICATION_ROOT='/foo'
)
@ -297,7 +292,6 @@ def test_session_using_application_root(app, client):
app.wsgi_app = PrefixPathMiddleware(app.wsgi_app, '/bar')
app.config.update(
SECRET_KEY='foo',
APPLICATION_ROOT='/bar'
)
@ -312,7 +306,6 @@ def test_session_using_application_root(app, client):
def test_session_using_session_settings(app, client):
app.config.update(
SECRET_KEY='foo',
SERVER_NAME='www.example.com:8080',
APPLICATION_ROOT='/test',
SESSION_COOKIE_DOMAIN='.example.com',
@ -336,7 +329,6 @@ def test_session_using_session_settings(app, client):
def test_session_localhost_warning(recwarn, app, client):
app.config.update(
SECRET_KEY='testing',
SERVER_NAME='localhost:5000',
)
@ -353,7 +345,6 @@ def test_session_localhost_warning(recwarn, app, client):
def test_session_ip_warning(recwarn, app, client):
app.config.update(
SECRET_KEY='testing',
SERVER_NAME='127.0.0.1:5000',
)
@ -368,8 +359,8 @@ def test_session_ip_warning(recwarn, app, client):
assert 'cookie domain is an IP' in str(w.message)
def test_missing_session():
app = flask.Flask(__name__)
def test_missing_session(app):
app.secret_key = None
def expect_exception(f, *args, **kwargs):
e = pytest.raises(RuntimeError, f, *args, **kwargs)
@ -383,7 +374,6 @@ def test_missing_session():
def test_session_expiration(app, client):
permanent = True
app.secret_key = 'testkey'
@app.route('/')
def index():
@ -415,8 +405,6 @@ def test_session_expiration(app, client):
def test_session_stored_last(app, client):
app.secret_key = 'development-key'
@app.after_request
def modify_session(response):
flask.session['foo'] = 42
@ -431,7 +419,6 @@ def test_session_stored_last(app, client):
def test_session_special_types(app, client):
app.secret_key = 'development-key'
now = datetime.utcnow().replace(microsecond=0)
the_uuid = uuid.uuid4()
@ -463,7 +450,6 @@ def test_session_special_types(app, client):
def test_session_cookie_setting(app):
app.secret_key = 'dev key'
is_permanent = True
@app.route('/bump')
@ -505,8 +491,6 @@ def test_session_cookie_setting(app):
def test_session_vary_cookie(app, client):
app.secret_key = 'testkey'
@app.route('/set')
def set_session():
flask.session['test'] = 'test'
@ -562,8 +546,6 @@ def test_session_vary_cookie(app, client):
def test_flashes(app, req_ctx):
app.secret_key = 'testkey'
assert not flask.session.modified
flask.flash('Zap')
flask.session.modified = False
@ -579,8 +561,6 @@ def test_extended_flashing(app):
# in the view functions will cause a 500 response to the test client
# instead of propagating exceptions.
app.secret_key = 'testkey'
@app.route('/')
def index():
flask.flash(u'Hello World')

13
tests/test_config.py

@ -19,11 +19,11 @@ import pytest
# config keys used for the TestConfig
TEST_KEY = 'foo'
SECRET_KEY = 'devkey'
SECRET_KEY = 'config'
def common_object_test(app):
assert app.secret_key == 'devkey'
assert app.secret_key == 'config'
assert app.config['TEST_KEY'] == 'foo'
assert 'TestConfig' not in app.config
@ -50,21 +50,21 @@ def test_config_from_json():
def test_config_from_mapping():
app = flask.Flask(__name__)
app.config.from_mapping({
'SECRET_KEY': 'devkey',
'SECRET_KEY': 'config',
'TEST_KEY': 'foo'
})
common_object_test(app)
app = flask.Flask(__name__)
app.config.from_mapping([
('SECRET_KEY', 'devkey'),
('SECRET_KEY', 'config'),
('TEST_KEY', 'foo')
])
common_object_test(app)
app = flask.Flask(__name__)
app.config.from_mapping(
SECRET_KEY='devkey',
SECRET_KEY='config',
TEST_KEY='foo'
)
common_object_test(app)
@ -81,7 +81,8 @@ def test_config_from_class():
TEST_KEY = 'foo'
class Test(Base):
SECRET_KEY = 'devkey'
SECRET_KEY = 'config'
app = flask.Flask(__name__)
app.config.from_object(Test)
common_object_test(app)

5
tests/test_signals.py

@ -157,10 +157,7 @@ def test_appcontext_signals():
flask.appcontext_popped.disconnect(record_pop, app)
def test_flash_signal():
app = flask.Flask(__name__)
app.config['SECRET_KEY'] = 'secret'
def test_flash_signal(app):
@app.route('/')
def index():
flask.flash('This is a flash message', category='notice')

2
tests/test_templating.py

@ -52,8 +52,6 @@ def test_request_less_rendering(app, app_ctx):
def test_standard_context(app, client):
app.secret_key = 'development key'
@app.route('/')
def index():
flask.g.foo = 23

6
tests/test_testing.py

@ -107,8 +107,6 @@ def test_blueprint_with_subdomain(app, client):
def test_redirect_keep_session(app, client, app_ctx):
app.secret_key = 'testing'
@app.route('/', methods=['GET', 'POST'])
def index():
if flask.request.method == 'POST':
@ -139,8 +137,6 @@ def test_redirect_keep_session(app, client, app_ctx):
def test_session_transactions(app, client):
app.secret_key = 'testing'
@app.route('/')
def index():
return text_type(flask.session['foo'])
@ -169,8 +165,6 @@ def test_session_transactions_no_null_sessions():
def test_session_transactions_keep_context(app, client, req_ctx):
app.secret_key = 'testing'
rv = client.get('/')
req = flask.request._get_current_object()
assert req is not None

Loading…
Cancel
Save