hell yeah

it sure is! WTF app key inside code!!

@gitpush only if they add one more line. The key is safe until then !

@gitpush what app key?

@gitpush oh u mean about the secret key? i have this motherfucker laying there over multiple commits anyway, its just dummy data for now bc i have no clue what does it even do. I also have JWT_SECRET_KEY in plain text code, also have no clue why is it needed but the code doesnt work without it. and mysql user/pass also in plain text in code but how tf do i hide that information and where?

@juneeighteen this is just shocking tbh :S

@SukMikeHok for a start you could move all those to a config file and read them from there instead of hard coding them

At least this way production server credentials are never inside the code or commit logs. They are only written on the server for the code to read. Also handle config file permission so that it can only be read by certain users.

@gitpush is the secret key and jwt secret key supposed to be something like a password of mine or a randomly generated hash?

@SukMikeHok Not sure about secret key, but the token key some random generated hash that cannot be reproduced easily. Its only goal is to encrypt and decrypt the tokens, better be a long key and not a password used else where

At a minimum, all hard coded security strings should be read as Environment variables. There are many options, but truthfully, you should assume your source code could become compromised, and any variable or token used against you.

@gitpush @juneeighteen is it safer if i store those secret keys in a database or a file locally in the system without read and write access unless u are logged in as root?

@SukMikeHok it is not where you store them but who can access the place where you stored them.

Inside your code is the worst place to do that, the less people that know production credentials the better.

There are actually a lot of “secret keeper” frameworks and services out there. Azure Key Vault, Hashicorp Vault and others are great for production quality secrets ... for simple things just getting into the habit of setting environment variables in your OS and doing: os.environ['MY_SECRET_KEY'] adds a decent level of security. If somebody gains access to your hosts environment variables you’ve got bigger problems to worry about !

I guess this is a flask app: The secret key is used to secure the session to prevent users manipulating it (e.g. gain admin access). Other frameworks have similar features. The key is not often changed as it would be invalidate the session.

Even worse, this peace of code runs the app in debug mode, allowing remote code execution when an unhandled exceptions occurs. Additionally the interal webserver of Flask/Werkzeug is used, which is neither optimized for security nor speed. If it was only used for testing, this would be probably ok.

I hope this is used just for testig, but the TODO might mean otherwise.

The JWT key is (probably) used to "sign" JSON Web Tokens - the possibility to manipulate them could also result in problems.

As @juneeighteen suggested, reading them from env variables sounds good.

os.urandom(24)

It would've been safer to base64-encode it 🤔