Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rotating secret keys #5621

Closed
CanaryWharf opened this issue Oct 25, 2024 · 3 comments · Fixed by #5632
Closed

Rotating secret keys #5621

CanaryWharf opened this issue Oct 25, 2024 · 3 comments · Fixed by #5632
Assignees
@davidism
Milestone
3.1.0

Comments

@CanaryWharf
Copy link

I'd like to have a couple of secret keys available, like so

app.secret_keys = [
   'key-1',
   'key-2',
]

To allow them to rotate.

I've seen this issue which seems to have auto-closed
#1574

It seems like itsdangerous now supports this
pallets/itsdangerous#141

This would allow secret keys to be rotated regularly without sessions being invalidated.
@davidism
Copy link
Member

davidism commented Oct 25, 2024
edited
Loading

Yeah, I think we could do something similar to itsdangerous here, with a new OLD_SECRET_KEYS config. Then app.secret_key remains a single value, and additional values can be added to the new config, and they can be sent to the itsdangerous mechanism. Note that app.config can't be mutated after startup (as it won't sync across each worker depending on how it's deployed), so updating the keys would require restarting the application.

(Note: The previous issue was not auto closed, a maintainer closed it after deciding not to implement it at the time.)

@davidism
Copy link
Member

davidism commented Nov 6, 2024

I'm uncertain about whether my suggested SECRET_KEY and OLD_SECRET_KEYS is a good interface. I don't have experience with key rotation systems. Can the way they return data be split into these two configs? Is restarting after rotation acceptable? Otherwise, users may be better served by implementing key rotation based on their own needs.

@davidism
Copy link
Member

davidism commented Nov 6, 2024

https://adamj.eu/tech/2024/08/30/django-rotate-secret-key/ looks like Django uses a similar scheme, so I guess I'll go with that.

@davidism davidism added this to the 3.1.0 milestone Nov 6, 2024
@davidism davidism self-assigned this Nov 7, 2024
@davidism davidism mentioned this issue Nov 8, 2024
Merged
@aholmes aholmes mentioned this issue Nov 14, 2024
Open
@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 25, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@davidism davidism

Labels
None yet
Projects
None yet
Milestone
3.1.0
Development

Successfully merging a pull request may close this issue.

enable secret key rotation pallets/flask
2 participants
@davidism @CanaryWharf