flask-login icon indicating copy to clipboard operation
flask-login copied to clipboard

Published 20 hours ago verified publisher icon maxcountryman

config keys should be prefixed

Open davidism opened this issue 3 years ago • 3 comments

Extensions should namespace any values they use in app.config and g with their name (without the "Flask-" prefix). It's usually a good idea to set the default config in init_app as well and access them with []. This makes it easier to reason about what extension manages what config.

Flask-Login currently uses the following keys:

  • USE_SESSION_FOR_NEXT, default False
  • REMEMBER_COOKIE_NAME, default "remember_token"
  • REMEMBER_COOKIE_DOMAIN, default None
  • REMEMBER_COOKIE_PATH, default "/"
  • REMEMBER_COOKIE_SECURE, default False
  • REMEMBER_COOKIE_HTTPONLY, default True
  • REMEMBER_COOKIE_SAMESITE, default None
  • REMEMBER_COOKIE_DURATION, default timedelta(days=365), converts int
  • REMEMBER_COOKIE_REFRESH_EACH_REQUEST, default None, should probably be False
  • AUTH_HEADER_NAME, default "Authorization", removed in 0.7 along with header_loader
  • SESSION_PROTECTION, default self.session_protection, default "basic"
  • FORCE_HOST_FOR_REDIRECTS, default None
  • LOGIN_DISABLED, default False

davidism avatar Jul 25 '22 17:07 davidism

I'm considering whether we should get rid of a lot of the REMEMBER_COOKIE_ config and have it use the same values as Flask's SESSION_ config. It seems the only ones that should ever be different are NAME and DURATION.

davidism avatar Jul 26 '22 13:07 davidism

In Flask-Security-Too - I have 2 config variables - one for the name, the other is a dict which is passed straight to response.set_cookie.

Such as: "CSRF_COOKIE_NAME": None, "CSRF_COOKIE": { "samesite": "Strict", "httponly": False, "secure": False, },

jwag956 avatar Oct 20 '23 23:10 jwag956

Nowadays I'm moving to dicts as well, since app.config.from_prefixed_env supports nested keys. If I get to this eventually, I'll look into it.

davidism avatar Oct 21 '23 01:10 davidism