feat: retrieve SECRET_KEY from env with fallback

[Robbilie]

There shouldnt even be a fallback for this kind of thing…

PR fulfills these requirements

• Commit message(s) and PR title follows the format [fix|feat|ci|chore|doc]: TICKET-ID: Short description of change made ex. fix: DEV-XXXX: Removed inconsistent code usage causing intermittent errors
• Tests for the changes have been added/updated (for bug fixes/features)
• Docs have been added/updated (for bug fixes/features)
• Best efforts were made to ensure docs/code are concise and coherent (checked for spelling/grammatical errors, commented out code, debug logs etc.)
• Self-reviewed and ran all changes on a local instance (for bug fixes/features)

Change has impacts in these area(s)

(check all that apply)

• Product design
• Backend (Database)
• Backend (API)
• Frontend

Describe the reason for change

(link to issue, supportive screenshots etc.)

What does this fix?

(if this is a bug fix)

What is the new behavior?

(if this is a breaking or feature change)

What is the current behavior?

(if this is a breaking or feature change)

What libraries were added/updated?

(list all with version changes)

Does this change affect performance?

(if so describe the impacts positive or negative)

Does this change affect security?

(if so describe the impacts positive or negative)

What alternative approaches were there?

(briefly list any if applicable)

What feature flags were used to cover this change?

(briefly list any if applicable)

Does this PR introduce a breaking change?

(check only one)

• Yes, and covered entirely by feature flag(s)
• Yes, and covered partially by feature flag(s)
• No
• Not sure (briefly explain the situation below)

What level of testing was included in the change?

(check all that apply)

• e2e
• integration
• unit

Which logical domain(s) does this change affect?

(for bug fixes/features, be as precise as possible. ex. Authentication, Annotation History, Review Stream etc.)

[netlify]

👷 Deploy request for label-studio-docs-new-theme pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	399cd52

[netlify]

👷 Deploy request for heartex-docs pending review.

Visit the deploys page to approve it

Name	Link
🔨 Latest commit	399cd52

[codecov]

Codecov Report

Patch coverage has no change and project coverage change: -0.01% ⚠️

Comparison is base (0702b8b) 75.83% compared to head (399cd52) 75.82%.

Additional details and impacted files

@@             Coverage Diff             @@
##           develop    #4689      +/-   ##
===========================================
- Coverage    75.83%   75.82%   -0.01%     
===========================================
  Files          157      157              
  Lines        12522    12522              
===========================================
- Hits          9496     9495       -1     
- Misses        3026     3027       +1     

see 1 file with indirect coverage changes

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[jombooth]

Hi @Robbilie,

On behalf of the whole Label Studio team, I'd like to thank you for bringing this oversight to our attention. We agree with not only your suggestion that SECRET_KEY should be configurable via environment variables, but also as you observed that there should not be a fallback for SECRET_KEY. For this reason, we've cherry-picked your commit from this branch into 399cd52, which will add a system for setting a stable random SECRET_KEY if none exists already, and will be looking to land #4690 as soon as possible. We will also be including this fix in our upcoming open source release, 1.8.2.

[Robbilie]

Yeah that's sensible to not provide a static fallback :)