Maybe a LoFi way to accomplish this is just to make sure that the SECRET_KEY is cast to bytes() before use. That way, a non-bytes object placed there during settings will be asked to convert it to bytes before use. I use the same trick with an internal module that retrieves database passwords from a web service. For cx_Oracle, I only had to implement __str__, but for PostgreSQL, MySQL, and pyodbc to SQL Server I eventually I collected many other string methods to be duck typed as a string.
The same trick might work today with SECRET_KEY, depending on how it is used. If anyone ever does a check that isinstance(settings.SECRET_KEY, bytes), then we'd have problems, but if Django has the discipline to iterate it, get its length, and cast it to bytes before use, then it would be OK. On Sat, Nov 10, 2018 at 9:36 AM Andreas Pelme <andr...@pelme.se> wrote: > On 10 Nov 2018, at 13:29, Adam Johnson <m...@adamj.eu> wrote: > > > > Hi Andreas > > > > I like your proposal, moving to a backend is an elegant way of solving > both the immediate problem and opening up the other possibilities you > mentioned. > > Thanks Adam, I am glad you like the proposal. :) > > > I think it would also be nice to have an "out of the box" way of > rotating the key, without needing to implement a custom backend. Perhaps a > second setting OLD_SECRET_KEYS that may contain a list of old keys that are > returned for verification too? Or we could allow SECRET_KEY to be a > list/tuple, and if so, sign with the first and verify with all of them. > > Agreed, I will add something like that then! :) > > Cheers, > Andreas > > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To post to this group, send email to django-developers@googlegroups.com. > Visit this group at https://groups.google.com/group/django-developers. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/A16A11DF-1439-46EF-BF0D-85C483F53608%40pelme.se > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To post to this group, send email to django-developers@googlegroups.com. Visit this group at https://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CAFzonYbcFn2h0-g8nk9Bj1fgprUU0AFLxph9L_1H%2B0KEMLZ1%3DQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.