PAPERLESS_REDIS may be set via docker secrets

[DennisGaida]

Proposed change

Best practice is for redis to be at least password protected: https://redis.io/docs/getting-started/.

Paperless uses Redis.from_url to establish a connection to redis which already enables us to use username/password, e.g. redis://username:password@redis:6379.

paperless-ngx/docker/wait-for-redis.py

Line 24 in 5fe4350

with Redis.from_url(url=REDIS_URL) as client:

The redis connection string therefore is a secret and needs to be able to leverage docker secrets, hence this PR.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Other (please explain)

Checklist:

• I have read & agree with the contributing guidelines.
• If applicable, I have tested my code for new features & regressions on both mobile & desktop devices, using the latest version of major browsers.
• If applicable, I have checked that all tests pass, see documentation.
• I have run all pre-commit hooks, see documentation.
• I have made corresponding changes to the documentation as needed.
• I have checked my modifications for any breaking changes.

[paperless-ngx-secretary]

Hello @DennisGaida,

thank you very much for submitting this PR to us!

This is what will happen next:

1. My robotic colleagues will check your changes to see if they break anything. You can see the progress below.
2. Once that is finished, human contributors from paperless-ngx review your changes. Since this seems to be a small change, only a single contributor has to review your changes.
3. Please improve anything that comes up during the review until your pull request gets approved.
4. Your pull request will be merged into the dev branch. Changes there will be tested further.
5. Eventually, changes from you and other contributors will be merged into main and a new release will be made.

Please allow up to 7 days for an initial review. We're all very excited about new pull requests but we only do this as a hobby.
If any action will be required by you, please reply within a month.

[stumpylog]

This is bringing some commits from main over. Could you rebase the branch to dev?

[stumpylog]

The change looks simple enough.

One other location which should be update is here. If the URL includes a password, it shouldn't be printed. Maybe just a hostname or some other information to show the connection was made.

[DennisGaida]

I'm having trouble rebasing my branch to dev as you can tell by my force pushes...

Good catch with the URL logging, this could be made safer with something like this regex: (?P<protocol>.*//)(?P<credentials>.*\@)?(?P<host>.*) and just replace the credentials part with xxx if it exists.

[DennisGaida]

Alright, got the rebase fixed and we're now on dev.

I added your suggestion @stumpylog to hide the credentials from the log (if they exist) - though I'm not sure whether this would be the best way/practice to go about things.

[stumpylog]

Hm, yeah I'm wondering if it's better to not print out the URL at all, rather than risk exposing a password in the log. Ideally if the connection fails, people would know to look at their Redis config.

[DennisGaida]

Also good point. You can cherry pick whatever you want. Removed logging the URL in the latest commit.

[github-actions]

This pull request has been automatically locked since there has not been any recent activity after it was closed. Please open a new discussion or issue for related concerns.