🔧(backend) force a valid key for token storage in development mode

Generate a fernet key for the OIDC_STORE_REFRESH_TOKEN_KEY in development
settings if not set.

Signed-off-by: Fabre Florian <ffabre@hybird.org>

Author: joehybird

bin/fernetkey

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# shellcheck source=bin/_config.sh
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+_dc_run app-dev python -c 'from cryptography.fernet import Fernet;import sys; sys.stdout.write("\n" + Fernet.generate_key().decode() + "\n");'

env.d/development/common

@@ -50,9 +50,12 @@ OIDC_REDIRECT_ALLOWED_HOSTS=["http://localhost:8083", "http://localhost:3000"]
 OIDC_AUTH_REQUEST_EXTRA_PARAMS={"acr_values": "eidas1"}
 
 # Store OIDC tokens in the session
-OIDC_STORE_ACCESS_TOKEN = True  # Store the access token in the session
-OIDC_STORE_REFRESH_TOKEN = True  # Store the encrypted refresh token in the session
-OIDC_STORE_REFRESH_TOKEN_KEY = ThisIsAnExampleKeyForDevPurposeOnly
+OIDC_STORE_ACCESS_TOKEN = True
+OIDC_STORE_REFRESH_TOKEN = True # Store the encrypted refresh token in the session.
+
+# Must be a valid Fernet key (32 url-safe base64-encoded bytes)
+# To create one, use the bin/fernetkey command.
+# OIDC_STORE_REFRESH_TOKEN_KEY="your-32-byte-encryption-key=="
 
 # AI
 AI_FEATURE_ENABLED=true

src/backend/core/tests/test_models_documents.py

@@ -1541,9 +1541,16 @@ def test_models_documents_post_save_indexer_deleted(mock_push, indexer_settings)
     user = factories.UserFactory()
 
     with transaction.atomic():
-        doc = factories.DocumentFactory()
-        doc_deleted = factories.DocumentFactory()
-        doc_ancestor_deleted = factories.DocumentFactory(parent=doc_deleted)
+        doc = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_deleted = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_ancestor_deleted = factories.DocumentFactory(
+            parent=doc_deleted,
+            link_reach=models.LinkReachChoices.AUTHENTICATED,
+        )
         doc_deleted.soft_delete()
         doc_ancestor_deleted.ancestors_deleted_at = doc_deleted.deleted_at
 
@@ -1596,9 +1603,16 @@ def test_models_documents_post_save_indexer_restored(mock_push, indexer_settings
     user = factories.UserFactory()
 
     with transaction.atomic():
-        doc = factories.DocumentFactory()
-        doc_deleted = factories.DocumentFactory()
-        doc_ancestor_deleted = factories.DocumentFactory(parent=doc_deleted)
+        doc = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_deleted = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_ancestor_deleted = factories.DocumentFactory(
+            parent=doc_deleted,
+            link_reach=models.LinkReachChoices.AUTHENTICATED,
+        )
         doc_deleted.soft_delete()
         doc_ancestor_deleted.ancestors_deleted_at = doc_deleted.deleted_at
 

src/backend/impress/settings.py

@@ -18,6 +18,7 @@
 
 import sentry_sdk
 from configurations import Configuration, values
+from cryptography.fernet import Fernet
 from csp.constants import NONE
 from lasuite.configuration.values import SecretFileValue
 from sentry_sdk.integrations.django import DjangoIntegration
@@ -944,6 +945,14 @@ class Development(Base):
         },
     }
 
+    # There is no key for token storage in default configuration.
+    # In development environment we can create one if needed.
+    OIDC_STORE_REFRESH_TOKEN_KEY = values.Value(
+        default=Fernet.generate_key().decode(),
+        environ_name="OIDC_STORE_REFRESH_TOKEN_KEY",
+        environ_prefix=None,
+    )
+
     def __init__(self):
         # pylint: disable=invalid-name
         self.INSTALLED_APPS += ["django_extensions", "drf_spectacular_sidecar"]