From 0e0ad27dbf947c763ae684e47b5a3cfce9e84f3a Mon Sep 17 00:00:00 2001
From: Denis Lehmann <denis@opaque.tech>
Date: Sun, 1 May 2022 10:59:50 +0200
Subject: [PATCH] randomize key

---
 README.org             | 9 +++------
 flake.nix              | 7 +------
 raincloud/raincloud.py | 5 +++--
 run.py                 | 2 +-
 4 files changed, 8 insertions(+), 15 deletions(-)

diff --git a/README.org b/README.org
index d043cee..c808f7f 100644
--- a/README.org
+++ b/README.org
@@ -58,7 +58,7 @@
 
    A WSGI server like [[https://gunicorn.org/][Gunicorn]] can then be used to serve the app for example like this:
 
-   : $ gunicorn "raincloud:create_app(base_path='public', secret_key='i_am_a_key')"
+   : $ gunicorn "raincloud:create_app(base_path='public')"
 
    *Note* that currently only one worker makes sense due to server side session caching.
 
@@ -72,7 +72,6 @@
         services.raincloud = {
           enable = true;
           basePath = "/var/lib/raincloud";
-          secretKey = "i_am_a_key";
         };
       }
     #+end_src
@@ -87,18 +86,16 @@
     | =group=     | Group under which the server runs | =str= | =raincloud=   | =users=              |
     | =cloudName= | Name of the raincloud             | =str= | =raincloud=   | =bobsCloud=          |
     | =basePath=  | Base path of the raincloud        | =str= |               | =/var/lib/raincloud= |
-    | =secretKey= | Flask secret key                  | =str= |               | =i_am_a_key=         |
 
 ** Configuration
 
-   /raincloud/ provides three configuration options which can be passed to =raincloud.create_app()=:
+   /raincloud/ provides two configuration options which can be passed to =raincloud.create_app()=:
 
    - =base_path= :: Base path of the raincloud
-   - =secret_key= :: Flask secret key
    - =cloud_name= :: Cloud name (default: =raincloud=)
 
    Set them for example like this:
-   : >>> app = raincloud.create_app(base_path='/home/alice/public', secret_key='super_secret', cloud_name='myCloud')
+   : >>> app = raincloud.create_app(base_path='/home/alice/public', cloud_name='myCloud')
 
 *** =rc.conf=
     :properties:
diff --git a/flake.nix b/flake.nix
index 53a7cdb..fdea70c 100644
--- a/flake.nix
+++ b/flake.nix
@@ -61,11 +61,6 @@
               type = types.str;
               description = "Base path of the raincloud";
             };
-
-            secretKey = mkOption {
-              type = types.str;
-              description = "Flask secret key";
-            };
           };
 
           config = mkIf cfg.enable {
@@ -95,7 +90,7 @@
                 PermissionsStartOnly = true;
 
                 ExecStart = ''
-                  ${gunicorn}/bin/gunicorn "raincloud:create_app('${cfg.basePath}', '${cfg.secretKey}', '${cfg.cloudName}')" \
+                  ${gunicorn}/bin/gunicorn "raincloud:create_app('${cfg.basePath}', '${cfg.cloudName}')" \
                     --bind=${cfg.address}:${toString cfg.port}
                 '';
               };
diff --git a/raincloud/raincloud.py b/raincloud/raincloud.py
index 66c4d6a..27bb955 100755
--- a/raincloud/raincloud.py
+++ b/raincloud/raincloud.py
@@ -13,14 +13,15 @@ from raincloud.directory_handler import DirectoryHandler, RaincloudIOException
 from raincloud.session_handler import SessionHandler
 from werkzeug.utils import secure_filename
 import crypt
+import os
 import werkzeug
 
 
-def create_app(base_path, secret_key, cloud_name="raincloud"):
+def create_app(base_path, cloud_name="raincloud"):
 
     # Create app
     app = Flask(__name__)
-    app.config["SECRET_KEY"] = secret_key
+    app.config["SECRET_KEY"] = os.urandom(24)
 
     # Create handlers
     dh = DirectoryHandler(base_path)
diff --git a/run.py b/run.py
index d886faf..892f8f1 100755
--- a/run.py
+++ b/run.py
@@ -3,5 +3,5 @@
 import raincloud
 
 if __name__ == "__main__":
-    app = raincloud.create_app("public", "dev")
+    app = raincloud.create_app("public")
     app.run()