From 780835e52c009f2ecbeca79f656b04577b8fcd64 Mon Sep 17 00:00:00 2001
From: erdgeist <erdgeist@erdgeist.org>
Date: Mon, 6 Jan 2025 03:11:42 +0100
Subject: Enforce a server secret in production

---
 config.json  | 1 +
 halfnarp2.py | 7 ++++++-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config.json b/config.json
index d34e97b..ab6374e 100644
--- a/config.json
+++ b/config.json
@@ -1,5 +1,6 @@
 {
   "server-name": "halfnarp.events.ccc.de",
+  "server-secret": "<YOUR SERVER SECRET HERE>",
   "host": "127.0.0.1",
   "port": 5023,
   "websocket-host": "localhost",
diff --git a/halfnarp2.py b/halfnarp2.py
index a6f4d1c..f13f967 100755
--- a/halfnarp2.py
+++ b/halfnarp2.py
@@ -268,7 +268,12 @@ if __name__ == "__main__":
     )
     app.config["SQLALCHEMY_TRACK_MODIFICATIONS"] = False
     app.config["SERVER_NAME"] = config.get("server-name", "localhost")
-    app.config["SECRET_KEY"] = "<YOUR SERVER SECRET HERE>"
+    app.config["SECRET_KEY"] = config.get("server-secret", "<YOUR SERVER SECRET HERE>")
+
+    if app.config["SECRET_KEY"] == "<YOUR SERVER SECRET HERE>":
+        print ("You must set the server-secret in your config.json")
+        sys.exit(1)
+
     app.jinja_env.trim_blocks = True
     app.jinja_env.lstrip_blocks = True
     CORS()
-- 
cgit v1.2.3