Merge pull request #76 from xsnippet/auth-token-in-main

Generate secret in main rather than in middleware
xsnippet · Mar 11, 2018 · fe674f9 · fe674f9
2 parents fe9219a + a192655
commit fe674f9
Show file tree

Hide file tree

Showing 4 changed files with 12 additions and 32 deletions.
diff --git a/tests/test_application.py b/tests/test_application.py
@@ -10,17 +10,6 @@
 
 import pytest
 
-from xsnippet.api import application
-from xsnippet.api.middlewares import auth
-
-
-async def test_auth_secret_is_generated_if_not_set(test_server, testconf, testdatabase):
-    testconf['auth'] = {'secret': ''}
-    app_instance = application.create_app(testconf, testdatabase)
-
-    await test_server(app_instance)
-    assert len(testconf['auth']['secret']) == auth.SECRET_LEN
-
 
 @pytest.mark.parametrize('name, value', [
     ('Accept', 'application/json'),

diff --git a/xsnippet/api/__main__.py b/xsnippet/api/__main__.py
@@ -9,9 +9,11 @@
     :license: MIT, see LICENSE for details
 """
 
+import binascii
 import logging
 import os
 import sys
+import warnings
 
 import aiohttp.web as web
 import picobox
@@ -31,6 +33,16 @@ def main(args=sys.argv[1:]):
     ], envvar='XSNIPPET_API_SETTINGS')
     database = create_connection(conf)
 
+    # The secret is required to sign issued JWT tokens, therefore it's crucial
+    # to warn about importance of settings secret before going production. The
+    # only reason why we don't enforce it's setting is because we want the app
+    # to fly (at least for development purpose) using defaults.
+    if not conf['auth'].get('secret', ''):
+        warnings.warn(
+            'Auth secret has not been provided. Please generate a long random '
+            'secret before going to production.')
+        conf['auth']['secret'] = binascii.hexlify(os.urandom(32)).decode('ascii')
+
     with picobox.push(picobox.Box()) as box:
         box.put('conf', conf)
         box.put('database', database)

diff --git a/xsnippet/api/application.py b/xsnippet/api/application.py
@@ -70,8 +70,6 @@ def create_app(conf, db):
             middlewares.auth.auth(conf['auth']),
         ],
         router=router.VersionRouter({'1.0': v1}, default='1.0'))
-
-    app.on_startup.append(functools.partial(middlewares.auth.setup, conf=conf))
     app.on_startup.append(functools.partial(database.setup, db=db))
 
     # We need to respond with Vary header time to time in order to avoid

diff --git a/xsnippet/api/middlewares/auth.py b/xsnippet/api/middlewares/auth.py
@@ -9,29 +9,10 @@
     :license: MIT, see LICENSE for details
 """
 
-import random
-import string
-
 import aiohttp.web as web
 import jose.jwt as jwt
 
 
-SECRET_LEN = 64
-
-
-async def setup(app, conf):
-    """Perform middleware setup steps at application startup.
-
-    E.g. generate a temporary secret, if one was not set in conf explicitly."""
-
-    secret = conf['auth'].get('secret', '')
-    if not secret:
-        symbols = string.ascii_letters + string.digits
-        secret = ''.join(random.choice(symbols) for _ in range(SECRET_LEN))
-
-        conf['auth']['secret'] = secret
-
-
 def auth(conf):
     """Authentication middleware.