Skip to content

fix: raise RuntimeError when SESSION_SECRET_KEY is not set in setup_o…#103

Open
piyushdotcomm wants to merge 1 commit intosugarlabs:mainfrom
piyushdotcomm:fix/session-secret-key-validation
Open

fix: raise RuntimeError when SESSION_SECRET_KEY is not set in setup_o…#103
piyushdotcomm wants to merge 1 commit intosugarlabs:mainfrom
piyushdotcomm:fix/session-secret-key-validation

Conversation

@piyushdotcomm
Copy link
Copy Markdown

@piyushdotcomm piyushdotcomm commented Mar 25, 2026

Problem

setup_oauth() in app/auth.py used a hardcoded fallback value:

secret_key=os.getenv("SESSION_SECRET_KEY", "supersecretkey")

If SESSION_SECRET_KEY was not set in the environment, the app silently
used "supersecretkey" as the session signing key. Since this value is
publicly visible in the source code, anyone could forge valid session
cookies and gain authenticated access without going through OAuth.

The app gave no warning and did not refuse to start when running with
this insecure fallback.

Fix

Removed the hardcoded fallback. The app now validates SESSION_SECRET_KEY
at startup and raises a RuntimeError with a clear message if it is missing,
preventing silent insecure deployments.

secret_key = os.getenv("SESSION_SECRET_KEY")
if not secret_key:
    raise RuntimeError(
        "SESSION_SECRET_KEY environment variable is not set. "
        "Please set a strong random secret in your .env file before starting the app."
    )
app.add_middleware(SessionMiddleware, secret_key=secret_key)

Fixes #101

@piyushdotcomm
fix: raise RuntimeError when SESSION_SECRET_KEY is not set in setup_o…
477482f 
…auth

Previously, setup_oauth() used a hardcoded fallback 'supersecretkey' when
SESSION_SECRET_KEY was not set in the environment. This allowed anyone to
forge session cookies and bypass OAuth authentication.

Now the app refuses to start with a clear RuntimeError if the environment
variable is missing, preventing silent deployment with an insecure secret.

Adds tests/test_auth_setup.py with two pytest tests:
- test_setup_oauth_raises_when_secret_missing
- test_setup_oauth_succeeds_when_secret_set

Fixes: sugarlabs#101
Naitik120gupta
Naitik120gupta reviewed Mar 26, 2026
View reviewed changes
Comment thread app/auth.py
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@Naitik120gupta Naitik120gupta Naitik120gupta left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

security: hardcoded fallback "supersecretkey" in SessionMiddleware allows session forgery

2 participants

@piyushdotcomm @Naitik120gupta