[SECURITY] SECRET_KEY is hardcoded

[Jules-Bertholet]

Describe the bug
SECRET_KEY is hard-coded in web/settings.py. This is a security vulnerability.

Expected behavior
SECRET_KEY is a configurable environment variable.

[damianmoore]

Thanks @Jules-Bertholet. I've this in my mind for a while. As I understand it, the biggest risk for us is that session tokens could be brute forced more easily.

Do you have any recommendations on the best way to solve this? Obviously we could allow user to pass it in as an environment variable from docker-compose.yml but I'm sure lots of people would find it hard to generate a secure enough string before starting or leave it as the default.

The best I can think is that if no environment variable is set for it then autogenerate one and save it as file on a separate data volume. I'm just a bit worried it will get lost if the user wants to re-install or migrate to another server.

[damianmoore]

Closed as of a35c694. SECRET_KEY is now randomly generated on server start. Only downside I can see is that JWT tokens get refreshed by JS. If we need a more consistent SECRET_KEY in future then we can accept it as an optional environment variable or cache the generated value to disk volume.

[damianmoore]

There was a bit of a complication with the first attempt causing GraphQL JWT Error decoding signature errors. The latest commit 112fd3e hopefully solves these issues (caused by multiple Gunicorn workers each having their own secret keys). SECRET_KEY is now generated on first load and stored in Redis so all worker processes can access it. If Redis gets wiped out it will just mean users have to re-login.