From 651205f1b4b330b3a9ba27e9a780229f7afc99e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=C3=89loi=20Rivard?= <eloi@yaal.coop>
Date: Mon, 20 Jan 2025 15:07:29 +0100
Subject: [PATCH] refactor: SECRET_KEY is optional

---
 CHANGES.rst                     |  1 +
 canaille/app/configuration.py   |  8 +++++---
 canaille/app/server.py          |  6 ++++++
 canaille/app/templating.py      |  1 +
 canaille/templates/base.html    | 17 ++++++++++++++++-
 tests/app/test_configuration.py | 19 +++++++++++++++++++
 6 files changed, 48 insertions(+), 4 deletions(-)

diff --git a/CHANGES.rst b/CHANGES.rst
index 9bcb18c0..d13c2530 100644
--- a/CHANGES.rst
+++ b/CHANGES.rst
@@ -10,6 +10,7 @@ Changed
 ^^^^^^^
 - Avoid displaying password strength progress bar in login form
 - Mysql extra depends on ``pymysql`` instead of ``mysql-connector``.
+- :attr:`~canaille.app.configuration.RootSettings.SECRET_KEY` is not mandatory anymore, but displays warnings when unset. :pr:`221`
 
 [0.0.59] - 2025-01-10
 ---------------------
diff --git a/canaille/app/configuration.py b/canaille/app/configuration.py
index ed13a7f5..1807d471 100644
--- a/canaille/app/configuration.py
+++ b/canaille/app/configuration.py
@@ -44,10 +44,10 @@ class RootSettings(BaseSettings):
         case_sensitive=True,
     )
 
-    SECRET_KEY: str
+    SECRET_KEY: str | None = None
     """The Flask :external:py:data:`SECRET_KEY` configuration setting.
 
-    You MUST change this.
+    You MUST set a value before deploying in production.
     """
 
     SERVER_NAME: str | None = None
@@ -169,7 +169,9 @@ def setup_config(app, config=None, test_config=True, env_file=None, env_prefix="
         app.logger.critical(str(exc))
         return False
 
-    app.config.from_mapping(config_obj.model_dump())
+    config_dict = config_obj.model_dump()
+    app.no_secret_key = config_dict["SECRET_KEY"] is None
+    app.config.from_mapping(config_dict)
 
     if app.debug:
         install(app.config, debug=True)
diff --git a/canaille/app/server.py b/canaille/app/server.py
index 58820ffc..6d6ed8c9 100644
--- a/canaille/app/server.py
+++ b/canaille/app/server.py
@@ -1,3 +1,9 @@
+import uuid
+
 from canaille import create_app  # pragma: no cover
 
 app = create_app(env_file=".env")  # pragma: no cover
+
+if app.config["SECRET_KEY"] is None:  # pragma: no cover
+    app.logger.warning("Missing 'SECRET_KEY' configuration parameter.")
+    app.config["SECRET_KEY"] = str(uuid.uuid4())
diff --git a/canaille/app/templating.py b/canaille/app/templating.py
index e333dcce..24f08058 100644
--- a/canaille/app/templating.py
+++ b/canaille/app/templating.py
@@ -64,4 +64,5 @@ def global_processor():
             "request_is_boosted": request_is_boosted(),
             "request_is_partial": request_is_partial(),
             "features": app.features,
+            "no_secret_key": app.no_secret_key,
         }
diff --git a/canaille/templates/base.html b/canaille/templates/base.html
index 9a50e054..e51d272b 100644
--- a/canaille/templates/base.html
+++ b/canaille/templates/base.html
@@ -19,6 +19,8 @@
 :type menu: :class:`bool`
 :param debug: Whether the app has been launched in debug mode.
 :type debug: :class:`bool`
+:param no_secret_key: Whether a :attr:`~canaille.app.configuration.RootSettings.SECRET_KEY` has been defined.
+:type no_secret_key: bool
 #}
 {%- import 'macro/flask.html' as flask -%}
 
@@ -41,10 +43,23 @@
     </head>
 
     <body{% if config["CANAILLE"]["JAVASCRIPT"] and config["CANAILLE"]["HTMX"] %} hx-boost="true"{% endif %}>
+        {% if no_secret_key %}
+            <div class="ui container attached menu-container">
+                <div class="ui error icon message">
+                    <i class="exclamation circle icon"></i>
+                    <div class="content">
+                        {% trans %}
+                            Your Canaille instance is not fully configured and not ready for production.<br>
+                            Have a look at your server logs and at the <a href="https://canaille.readthedocs.io/en/latest/references/configuration.html">documentation</a> for more details.
+                        {% endtrans %}
+                    </div>
+                </div>
+            </div>
+        {% endif %}
         {% block menu %}
             {% if menu %}
                 <div class="ui container menu-container">
-                    <nav class="ui stackable labeled icon seven item {% if self.submenu() | trim %}top attached{% endif %} menu">
+                    <nav class="ui stackable labeled icon seven item {% if self.submenu() | trim %}{% if not not_secret_key %}top {% endif %}attached{% endif %} menu">
                         {% if logo_url %}
                             <a href="/" class="item logo">
                                 <img class="ui img" src="{{ logo_url }}" alt="{{ website_name }}" />
diff --git a/tests/app/test_configuration.py b/tests/app/test_configuration.py
index f8fe7eea..fdd2220e 100644
--- a/tests/app/test_configuration.py
+++ b/tests/app/test_configuration.py
@@ -1,3 +1,4 @@
+import logging
 import os
 
 import pytest
@@ -316,3 +317,21 @@ def test_smpp_connection_remote_smpp_no_credentials(
     config_obj = settings_factory(configuration)
     config_dict = config_obj.model_dump()
     validate(config_dict, validate_remote=True)
+
+
+def test_no_secret_key(configuration, caplog):
+    del configuration["SECRET_KEY"]
+
+    from canaille.app.server import app
+
+    assert (
+        "canaille",
+        logging.WARNING,
+        "Missing 'SECRET_KEY' configuration parameter.",
+    ) in caplog.record_tuples
+
+    testclient = TestApp(app)
+    res = testclient.get("/login")
+    res.mustcontain(
+        "Your Canaille instance is not fully configured and not ready for production."
+    )