From 161b1a8af1ee89155e42a167380c97a6384756a5 Mon Sep 17 00:00:00 2001
From: Andrew Godwin <andrew@aeracode.org>
Date: Wed, 28 Dec 2022 11:27:08 -0700
Subject: [PATCH] Don't permit autogenerated secret keys in prod

Fixes #300
---
 takahe/settings.py | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/takahe/settings.py b/takahe/settings.py
index e93d82e..5a26596 100644
--- a/takahe/settings.py
+++ b/takahe/settings.py
@@ -72,7 +72,7 @@ class Settings(BaseSettings):
 
     #: Set a secret key used for signing values such as sessions. Randomized
     #: by default, so you'll logout everytime the process restarts.
-    SECRET_KEY: str = Field(default_factory=lambda: secrets.token_hex(128))
+    SECRET_KEY: str = Field(default_factory=lambda: "autokey-" + secrets.token_hex(128))
 
     #: Set a secret key used to protect the stator. Randomized by default.
     STATOR_TOKEN: str = Field(default_factory=lambda: secrets.token_hex(128))
@@ -173,6 +173,10 @@ class Settings(BaseSettings):
 
 SETUP = Settings()
 
+# Don't allow automatic keys in production
+if SETUP.DEBUG and SETUP.SECRET_KEY.startswith("autokey-"):
+    print("You must set TAKAHE_SECRET_KEY in production")
+    sys.exit(1)
 SECRET_KEY = SETUP.SECRET_KEY
 DEBUG = SETUP.DEBUG