moved to .env for secret-key

2025-11-15 19:40:58 +01:00 · 2025-11-15 19:40:58 +01:00 · 4ace9bd2a0
commit 4ace9bd2a0
parent f6b3020350
3 changed files with 34 additions and 4 deletions
--- a/README.md
+++ b/README.md
@ -34,20 +34,47 @@ pkill -f "flask run" && flask run --host=0.0.0.0 --port=5001

 ### Docker Deployment
 ```bash
-# Build and start container
+# First generate and set your secret key
+python -c 'import secrets; print(f"FLASK_SECRET_KEY={secrets.token_hex(32)}")' >> .env
+
+# Then start the container
 docker-compose up --build

-# For production (detached mode)
+# Production deployment (detached mode)
 docker-compose up --build -d
 ```

+Note: Docker will automatically load the `.env` file from your project root
+
 The application will be available at `http://localhost:5001`

 ### Persisting Data
 The database will be preserved between container restarts through the `./instance` volume mount.

+## Configuration
+
+### Secret Key Management
+The application uses a hierarchical configuration for the secret key:
+1. Environment variable `FLASK_SECRET_KEY` (highest priority)
+2. Hardcoded value in `app.py` (development fallback only)
+
+**Production Setup:**
+```bash
+# Generate a secure secret key
+python -c 'import secrets; print(secrets.token_hex(32))'
+
+# Update .env file
+echo "FLASK_SECRET_KEY=your_generated_secret_here" >> .env
+```
+
+**Important Security Notes:**
+- Never commit the `.env` file to version control
+- The default secret key should only be used for development
+- In production, use proper secret management (Vault, KMS, etc.)
+
 ## Features
 - User registration with password confirmation
 - Secure password hashing
 - Login/logout functionality
 - SQLite database
+- Environment-based configuration
--- a/app.py
+++ b/app.py
@ -5,7 +5,10 @@ from werkzeug.security import generate_password_hash, check_password_hash
 import os

 app = Flask(__name__)
-app.config['SECRET_KEY'] = 'your-secret-key-here'
+app.config['SECRET_KEY'] = os.environ.get(
+    'FLASK_SECRET_KEY', 
+    'your-secret-key-here'  # Fallback for development only
+)
 app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///' + os.path.join(os.path.abspath(os.path.dirname(__file__)), 'instance/users.db')
 app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -7,7 +7,7 @@ services:
      - "5001:5001"
    environment:
      - FLASK_ENV=production
-      - FLASK_SECRET_KEY=${FLASK_SECRET_KEY:-your-secret-key-here}
+      - FLASK_SECRET_KEY=${FLASK_SECRET_KEY}  # Required - set in .env file
      - SQLALCHEMY_DATABASE_URI=sqlite:////app/instance/users.db
    volumes:
      - ./instance:/app/instance