search

pallets / flask

The Python micro framework for building web applications.
https://flask.palletsprojects.com
BSD 3-Clause "New" or "Revised" License
67.93k stars 16.21k forks source link

Rotating secret keys #5621

Open CanaryWharf opened 3 hours ago

CanaryWharf commented 3 hours ago

I'd like to have a couple of secret keys available, like so

app.secret_keys = [
   'key-1',
   'key-2',
]

To allow them to rotate.

I've seen this issue which seems to have auto-closed https://github.com/pallets/flask/issues/1574

It seems like itsdangerous now supports this https://github.com/pallets/itsdangerous/pull/141

This would allow secret keys to be rotated regularly without sessions being invalidated.

davidism commented 3 hours ago

Yeah, I think we could do something similar to itsdangerous here, with a new OLD_SECRET_KEYS config. Then app.secret_key remains a single value, and additional values can be added to the new config, and they can be sent to the itsdangerous mechanism. Note that app.config can't be mutated after startup (as it won't sync across each worker depending on how it's deployed), so updating the keys would require restarting the application.