Merge pull request #1422 from okfn/1422-repoze-key

Use a more secure default for the repoze secret key
ckan · Jan 9, 2014 · 116ec3d · 116ec3d
2 parents 4bddcd8 + 6ced7cb
commit 116ec3d
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/ckan/config/middleware.py b/ckan/config/middleware.py
@@ -18,6 +18,7 @@
 from routes.middleware import RoutesMiddleware
 from repoze.who.config import WhoConfig
 from repoze.who.middleware import PluggableAuthenticationMiddleware
+from repoze.who.plugins.auth_tkt import make_plugin as auth_tkt_make_plugin
 from fanstatic import Fanstatic
 
 from ckan.plugins import PluginImplementations
@@ -183,6 +184,11 @@ def make_app(conf, full_stack=True, static_files=True, **app_conf):
 
     return app
 
+def ckan_auth_tkt_make_app(**kw):
+    if not len(kw.get('secret', '')) or kw.get('secret') == 'somesecret':
+        kw['secret'] = config['beaker.session.secret']
+    return auth_tkt_make_plugin(**kw)
+
 
 class I18nMiddleware(object):
     """I18n Middleware selects the language based on the url

diff --git a/ckan/config/who.ini b/ckan/config/who.ini
@@ -1,6 +1,7 @@
 [plugin:auth_tkt]
-use = repoze.who.plugins.auth_tkt:make_plugin
-secret = somesecret
+use = ckan.config.middleware:ckan_auth_tkt_make_app
+# If no secret key is defined here, beaker.session.secret will be used
+#secret = somesecret
 
 [plugin:friendlyform]
 use = repoze.who.plugins.friendlyform:FriendlyFormPlugin