physionet-build icon indicating copy to clipboard operation
physionet-build copied to clipboard
verified publisher icon MIT-LCP

Allow rotating SECRET_KEY

Open bemoody opened this issue 2 years ago • 3 comments

There should be a way to change the Django SECRET_KEY value. Preferably, we should be able to rotate the key regularly (once per year, say), without breaking anything.

We really don't want to break:

  • user registration email links
  • password reset email links

We would prefer not to break:

  • login sessions ("sessionid" cookies)
  • anonymous access sessions ("anonymousaccess" cookies)
  • user registration ("register_time" cookies)
  • ...anything else that uses "get_signed_cookie"

https://pypi.org/project/django-rotate-secret-key/ is a package that claims to address the login session issue; I haven't looked at how it's implemented, whether it works with Django 4, or whether it addresses any of the other issues.

bemoody avatar Mar 21 '23 22:03 bemoody

@bemoody This looks unassigned and super cool, if this is still open, would it be okay if i work on this?

superryeti avatar Apr 14 '23 16:04 superryeti

@amitupreti please feel free to take this on!

tompollard avatar Apr 14 '23 20:04 tompollard

Key rotation finally became an officially supported feature in Django 4.1, so we just have to turn it on. Probably everything should just work unless we have code that directly refers to SECRET_KEY.

bemoody avatar Oct 23 '23 15:10 bemoody