persist session secret across restarts

2026-04-12 12:30:05 +02:00
parent a8b7eb09df
commit 0231b28935
1 changed files with 23 additions and 1 deletions
@@ -17,6 +17,24 @@ WEEKDAY_NAMES = ["Montag", "Dienstag", "Mittwoch", "Donnerstag", "Freitag", "Sam
 WEEKDAY_SHORT_NAMES = ["Mo", "Di", "Mi", "Do", "Fr", "Sa", "So"]


+def load_secret_key(data_dir: Path) -> str:
+    env_secret = os.environ.get("NOURI_SECRET_KEY")
+    if env_secret:
+        return env_secret
+
+    secret_path = data_dir / ".secret_key"
+    if secret_path.exists():
+        return secret_path.read_text(encoding="utf-8").strip()
+
+    secret_value = secrets.token_hex(24)
+    try:
+        with secret_path.open("x", encoding="utf-8") as handle:
+            handle.write(secret_value)
+    except FileExistsError:
+        return secret_path.read_text(encoding="utf-8").strip()
+    return secret_value
+
+
 def create_app() -> Flask:
    root_dir = Path(__file__).resolve().parent.parent
    data_dir = Path(os.environ.get("NOURI_DATA_DIR", root_dir / "data")).resolve()
@@ -28,12 +46,16 @@ def create_app() -> Flask:

    app = Flask(__name__, instance_relative_config=False)
    app.config.update(
-        SECRET_KEY=os.environ.get("NOURI_SECRET_KEY", secrets.token_hex(24)),
+        # Persist the signing key inside the app's data directory so all
+        # gunicorn workers and future restarts agree on the same sessions.
+        SECRET_KEY=load_secret_key(data_dir),
        DATABASE_PATH=str(db_path),
        DATA_DIR=str(data_dir),
        UPLOAD_FOLDER=str(upload_dir),
        MAX_CONTENT_LENGTH=int(os.environ.get("NOURI_MAX_UPLOAD_MB", "5")) * 1024 * 1024,
        PERMANENT_SESSION_LIFETIME=timedelta(days=30),
+        SESSION_COOKIE_HTTPONLY=True,
+        SESSION_COOKIE_SAMESITE="Lax",
    )

    db.init_app(app)