randomize key

README.org

@@ -58,7 +58,7 @@
 
    A WSGI server like [[https://gunicorn.org/][Gunicorn]] can then be used to serve the app for example like this:
 
-   : $ gunicorn "raincloud:create_app(base_path='public', secret_key='i_am_a_key')"
+   : $ gunicorn "raincloud:create_app(base_path='public')"
 
    *Note* that currently only one worker makes sense due to server side session caching.
 
@@ -72,7 +72,6 @@
         services.raincloud = {
           enable = true;
           basePath = "/var/lib/raincloud";
-          secretKey = "i_am_a_key";
         };
       }
     #+end_src
@@ -87,18 +86,16 @@
     | =group=     | Group under which the server runs | =str= | =raincloud=   | =users=              |
     | =cloudName= | Name of the raincloud             | =str= | =raincloud=   | =bobsCloud=          |
     | =basePath=  | Base path of the raincloud        | =str= |               | =/var/lib/raincloud= |
-    | =secretKey= | Flask secret key                  | =str= |               | =i_am_a_key=         |
 
 ** Configuration
 
-   /raincloud/ provides three configuration options which can be passed to =raincloud.create_app()=:
+   /raincloud/ provides two configuration options which can be passed to =raincloud.create_app()=:
 
    - =base_path= :: Base path of the raincloud
-   - =secret_key= :: Flask secret key
    - =cloud_name= :: Cloud name (default: =raincloud=)
 
    Set them for example like this:
-   : >>> app = raincloud.create_app(base_path='/home/alice/public', secret_key='super_secret', cloud_name='myCloud')
+   : >>> app = raincloud.create_app(base_path='/home/alice/public', cloud_name='myCloud')
 
 *** =rc.conf=
     :properties:

flake.nix

@@ -61,11 +61,6 @@
               type = types.str;
               description = "Base path of the raincloud";
             };
-
-            secretKey = mkOption {
-              type = types.str;
-              description = "Flask secret key";
-            };
           };
 
           config = mkIf cfg.enable {
@@ -95,7 +90,7 @@
                 PermissionsStartOnly = true;
 
                 ExecStart = ''
-                  ${gunicorn}/bin/gunicorn "raincloud:create_app('${cfg.basePath}', '${cfg.secretKey}', '${cfg.cloudName}')" \
+                  ${gunicorn}/bin/gunicorn "raincloud:create_app('${cfg.basePath}', '${cfg.cloudName}')" \
                     --bind=${cfg.address}:${toString cfg.port}
                 '';
               };

raincloud/raincloud.py

@@ -13,14 +13,15 @@ from raincloud.directory_handler import DirectoryHandler, RaincloudIOException
 from raincloud.session_handler import SessionHandler
 from werkzeug.utils import secure_filename
 import crypt
+import os
 import werkzeug
 
 
-def create_app(base_path, secret_key, cloud_name="raincloud"):
+def create_app(base_path, cloud_name="raincloud"):
 
     # Create app
     app = Flask(__name__)
-    app.config["SECRET_KEY"] = secret_key
+    app.config["SECRET_KEY"] = os.urandom(24)
 
     # Create handlers
     dh = DirectoryHandler(base_path)

run.py

@@ -3,5 +3,5 @@
 import raincloud
 
 if __name__ == "__main__":
-    app = raincloud.create_app("public", "dev")
+    app = raincloud.create_app("public")
     app.run()