Make ADMIN_CLIENT_SECRET a list of a single secret

And support this change across our code. Note, this is a halfway step where it is not a list rather than a string but still only supports a single secret, ie one item in the list.
2026-05-03 15:50:12 -04:00 · 2020-02-19 16:42:40 +00:00
parent f7f6be56c7
commit 52d3df49d4
4 changed files with 16 additions and 11 deletions
--- a/app/authentication/auth.py
+++ b/app/authentication/auth.py
@@ -61,7 +61,12 @@ def requires_admin_auth():

    if client == current_app.config.get('ADMIN_CLIENT_USER_NAME'):
        g.service_id = current_app.config.get('ADMIN_CLIENT_USER_NAME')
-        return handle_admin_key(auth_token, current_app.config.get('ADMIN_CLIENT_SECRET'))
+
+        secret = ""
+        if len(current_app.config.get('ADMIN_CLIENT_SECRETS')):
+            secret = current_app.config.get('ADMIN_CLIENT_SECRETS')[0]
+
+        return handle_admin_key(auth_token, secret)
    else:
        raise AuthError('Unauthorized: admin authentication token required', 401)

--- a/app/config.py
+++ b/app/config.py
@@ -65,7 +65,7 @@ class Config(object):
    API_HOST_NAME = os.getenv('API_HOST_NAME')

    # admin app api key
-    ADMIN_CLIENT_SECRET = os.getenv('ADMIN_CLIENT_SECRET')
+    ADMIN_CLIENT_SECRETS = [os.getenv('ADMIN_CLIENT_SECRET')] if os.getenv('ADMIN_CLIENT_SECRET') else []

    # encyption secret/salt
    SECRET_KEY = os.getenv('SECRET_KEY')
@@ -369,7 +369,7 @@ class Development(Config):
    TRANSIENT_UPLOADED_LETTERS = 'development-transient-uploaded-letters'
    LETTER_SANITISE_BUCKET_NAME = 'development-letters-sanitise'

-    ADMIN_CLIENT_SECRET = 'dev-notify-secret-key'
+    ADMIN_CLIENT_SECRETS = ['dev-notify-secret-key']
    SECRET_KEY = 'dev-notify-secret-key'
    DANGEROUS_SALT = 'dev-notify-salt'