🔧(backend) tool for valid fernet key used in OIDC token storage

Add bin/fernetkey that generates a key for the OIDC_STORE_REFRESH_TOKEN_KEY setting. Signed-off-by: Fabre Florian <ffabre@hybird.org>
2025-10-01 07:18:26 +02:00
parent a48f61e583
commit 580d25b79f
3 changed files with 32 additions and 9 deletions
--- a/bin/fernetkey
+++ b/bin/fernetkey
@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+
+# shellcheck source=bin/_config.sh
+source "$(dirname "${BASH_SOURCE[0]}")/_config.sh"
+
+_dc_run app-dev python -c 'from cryptography.fernet import Fernet;import sys; sys.stdout.write("\n" + Fernet.generate_key().decode() + "\n");'
--- a/env.d/development/common
+++ b/env.d/development/common
@@ -50,9 +50,12 @@ OIDC_REDIRECT_ALLOWED_HOSTS=["http://localhost:8083", "http://localhost:3000"]
 OIDC_AUTH_REQUEST_EXTRA_PARAMS={"acr_values": "eidas1"}

 # Store OIDC tokens in the session
-OIDC_STORE_ACCESS_TOKEN = True  # Store the access token in the session
-OIDC_STORE_REFRESH_TOKEN = True  # Store the encrypted refresh token in the session
-OIDC_STORE_REFRESH_TOKEN_KEY = ThisIsAnExampleKeyForDevPurposeOnly
+OIDC_STORE_ACCESS_TOKEN = True
+OIDC_STORE_REFRESH_TOKEN = True # Store the encrypted refresh token in the session.
+
+# Must be a valid Fernet key (32 url-safe base64-encoded bytes)
+# To create one, use the bin/fernetkey command.
+# OIDC_STORE_REFRESH_TOKEN_KEY="your-32-byte-encryption-key=="

 # AI
 AI_FEATURE_ENABLED=true
--- a/src/backend/core/tests/test_models_documents.py
+++ b/src/backend/core/tests/test_models_documents.py
@@ -1713,9 +1713,16 @@ def test_models_documents_post_save_indexer_deleted(mock_push, indexer_settings)
    user = factories.UserFactory()

    with transaction.atomic():
-        doc = factories.DocumentFactory()
-        doc_deleted = factories.DocumentFactory()
-        doc_ancestor_deleted = factories.DocumentFactory(parent=doc_deleted)
+        doc = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_deleted = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_ancestor_deleted = factories.DocumentFactory(
+            parent=doc_deleted,
+            link_reach=models.LinkReachChoices.AUTHENTICATED,
+        )
        doc_deleted.soft_delete()
        doc_ancestor_deleted.ancestors_deleted_at = doc_deleted.deleted_at

@@ -1768,9 +1775,16 @@ def test_models_documents_post_save_indexer_restored(mock_push, indexer_settings
    user = factories.UserFactory()

    with transaction.atomic():
-        doc = factories.DocumentFactory()
-        doc_deleted = factories.DocumentFactory()
-        doc_ancestor_deleted = factories.DocumentFactory(parent=doc_deleted)
+        doc = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_deleted = factories.DocumentFactory(
+            link_reach=models.LinkReachChoices.AUTHENTICATED
+        )
+        doc_ancestor_deleted = factories.DocumentFactory(
+            parent=doc_deleted,
+            link_reach=models.LinkReachChoices.AUTHENTICATED,
+        )
        doc_deleted.soft_delete()
        doc_ancestor_deleted.ancestors_deleted_at = doc_deleted.deleted_at