diff --git a/docker/compose/docker-compose.env b/docker/compose/docker-compose.env index 75eeeed09..af6a6e8fe 100644 --- a/docker/compose/docker-compose.env +++ b/docker/compose/docker-compose.env @@ -17,9 +17,9 @@ # (if doing so please consider security measures such as reverse proxy) #PAPERLESS_URL=https://paperless.example.com -# Adjust this key if you plan to make paperless available publicly. It should -# be a very long sequence of random characters. You don't need to remember it. -#PAPERLESS_SECRET_KEY=change-me +# Required. A unique secret key for session tokens and signing. +# Generate with: python3 -c "import secrets; print(secrets.token_urlsafe(64))" +PAPERLESS_SECRET_KEY=change-me # Use this variable to set a timezone for the Paperless Docker containers. Defaults to UTC. #PAPERLESS_TIME_ZONE=America/Los_Angeles diff --git a/docs/configuration.md b/docs/configuration.md index 33f41c993..fa0d32c51 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -428,14 +428,20 @@ Defaults to `/usr/share/nltk_data` #### [`PAPERLESS_SECRET_KEY=`](#PAPERLESS_SECRET_KEY) {#PAPERLESS_SECRET_KEY} -: Paperless uses this to make session tokens. If you expose paperless -on the internet, you need to change this, since the default secret -is well known. +: **Required.** Paperless uses this to make session tokens and sign +sensitive data. Paperless will refuse to start if this is not set. Use any sequence of characters. The more, the better. You don't - need to remember this. Just face-roll your keyboard. + need to remember this. You can generate a suitable key with: - Default is listed in the file `src/paperless/settings.py`. + python3 -c "import secrets; print(secrets.token_urlsafe(64))" + + !!! warning + + This setting has no default value. You **must** set it before + starting Paperless. Existing installations that relied on the + previous default value should set `PAPERLESS_SECRET_KEY` to + that value to avoid invalidating existing sessions and tokens. #### [`PAPERLESS_URL=`](#PAPERLESS_URL) {#PAPERLESS_URL} diff --git a/paperless.conf.example b/paperless.conf.example index 9974aeab6..a0c406f82 100644 --- a/paperless.conf.example +++ b/paperless.conf.example @@ -23,7 +23,8 @@ # Security and hosting -#PAPERLESS_SECRET_KEY=change-me +# Required. Generate with: python3 -c "import secrets; print(secrets.token_urlsafe(64))" +PAPERLESS_SECRET_KEY=change-me #PAPERLESS_URL=https://example.com #PAPERLESS_CSRF_TRUSTED_ORIGINS=https://example.com # can be set using PAPERLESS_URL #PAPERLESS_ALLOWED_HOSTS=example.com,www.example.com # can be set using PAPERLESS_URL diff --git a/pyproject.toml b/pyproject.toml index 30c707e09..7bb160956 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -315,6 +315,7 @@ markers = [ ] [tool.pytest_env] +PAPERLESS_SECRET_KEY = "test-secret-key-do-not-use-in-production" PAPERLESS_DISABLE_DBHANDLER = "true" PAPERLESS_CACHE_BACKEND = "django.core.cache.backends.locmem.LocMemCache" PAPERLESS_CHANNELS_BACKEND = "channels.layers.InMemoryChannelLayer" diff --git a/src/paperless/settings/__init__.py b/src/paperless/settings/__init__.py index d51be67db..25731d87a 100644 --- a/src/paperless/settings/__init__.py +++ b/src/paperless/settings/__init__.py @@ -11,6 +11,7 @@ from typing import Final from urllib.parse import urlparse from compression_middleware.middleware import CompressionMiddleware +from django.core.exceptions import ImproperlyConfigured from django.utils.translation import gettext_lazy as _ from dotenv import load_dotenv @@ -463,13 +464,13 @@ SECURE_PROXY_SSL_HEADER = ( else None ) -# The secret key has a default that should be fine so long as you're hosting -# Paperless on a closed network. However, if you're putting this anywhere -# public, you should change the key to something unique and verbose. -SECRET_KEY = os.getenv( - "PAPERLESS_SECRET_KEY", - "e11fl1oa-*ytql8p)(06fbj4ukrlo+n7k&q5+$1md7i+mge=ee", -) +SECRET_KEY = os.getenv("PAPERLESS_SECRET_KEY", "") +if not SECRET_KEY: + raise ImproperlyConfigured( + "PAPERLESS_SECRET_KEY is not set. " + "A unique, secret key is required for secure operation. " + 'Generate one with: python3 -c "import secrets; print(secrets.token_urlsafe(64))"', + ) AUTH_PASSWORD_VALIDATORS = [ {