From cc10c86415d58ca3b30313dff4d6b4bbab0aeb7e Mon Sep 17 00:00:00 2001 From: Haris Skiadas Date: Tue, 16 Dec 2025 19:51:17 -0500 Subject: [PATCH] Clarify the usage of ALLOW_INSECURE_LOGIN --- .../web2py_server/applications/runestone/models/db.py | 4 ++-- docs/source/environmental_vars.rst | 6 +++--- sample.env | 8 ++++---- 3 files changed, 9 insertions(+), 9 deletions(-) diff --git a/bases/rsptx/web2py_server/applications/runestone/models/db.py b/bases/rsptx/web2py_server/applications/runestone/models/db.py index f053c995d..50b285ef0 100644 --- a/bases/rsptx/web2py_server/applications/runestone/models/db.py +++ b/bases/rsptx/web2py_server/applications/runestone/models/db.py @@ -703,8 +703,8 @@ def _create_access_token(data: dict, expires=None, scopes=None) -> bytes: # if the ALLOW_INSECURE_LOGIN environment variable is set then do not set # the httponly, samesite, or secure attributes on the cookie. # This is useful for testing purposes, but should not be used in production. - - if not os.environ.get("ALLOW_INSECURE_LOGIN", request.is_local): + allow_insecure = os.environ.get("ALLOW_INSECURE_LOGIN", "False").lower() in ["yes", "true"] + if not allow_insecure: response.cookies["access_token"]["httponly"] = True response.cookies["access_token"]["samesite"] = "None" response.cookies["access_token"]["secure"] = True diff --git a/docs/source/environmental_vars.rst b/docs/source/environmental_vars.rst index 17fdf9e1a..8cf027a4f 100644 --- a/docs/source/environmental_vars.rst +++ b/docs/source/environmental_vars.rst @@ -52,10 +52,10 @@ There are a number of other variables - none of them are important unless you ar * ``RUNESTONE_HOST`` *(d)* - this is the canonical host name of the server. It is used to generate links to the server. For development you should just set it to ``localhost``. In production it should be something like ``runestone.academy`` or ``runestone.academy:8000`` if you are running on a non-standard port. * ``LOAD_BALANCER_HOST`` *(d)* - this is the canonical host name of the server when you are running in production with several workers. It is used to generate links to the server. For development purposes you should not set this variable. In production it should be something like ``runestone.academy`` or ``runestone.academy:8000`` if you are running on a non-standard port. You would typically only need to set this or RUNESTONE_HOST. * ``NUM_SERVERS`` *(d)* - this is the number of workers you are running. It will default to 1 if not set. This is only important if you are running in production mode, behind a load balancer. -* ``ALLOW_INSECURE_LOGIN`` *(d)* - this is a flag that allows users to log in without HTTPS. This should only be used for development purposes and not in production. This can be set to ``yes`` or ``true`` in the ``docker-compose.yml`` file for the ``runestone`` service. If you are running in production mode, you should **not** set this variable. Note, LTI will not work if this is set. -* ``LTI1P3_PRIVATE_KEY`` *(d)* - this is the private key used for LTI 1.3 authentication. It should be a long random string. You can generate one by running ``openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048``. +* ``ALLOW_INSECURE_LOGIN`` *(d)* - this is a flag that allows users to log in without HTTPS. This should only be used for development purposes and not in production. This can be set to ``yes`` or ``true`` in the ``.env``. If you are running in production mode, you should keep this variable set to False. Note, LTI will not work if this is set. +* ``LTI1P3_PRIVATE_KEY`` *(d)* - this is the private key used for LTI 1.3 authentication. It should be a long random string. You can generate one by running ``openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048``. * ``LTI1P3_PUBLIC_KEY`` *(d)* - this is the public key used for LTI 1.3 authentication. You can generate one by running ``openssl rsa -in private.key -pubout -out public.key``. This is used to verify the signature of the LTI 1.3 authentication request. -* ``FERNET_SECRET`` *(d)* - this is the secret used for encrypting and decrypting data. It is required for encrypted columns. You can generate one by running ``openssl rand -base64 32``. +* ``FERNET_SECRET`` *(d)* - this is the secret used for encrypting and decrypting data. It is required for encrypted columns. You can generate one by running ``openssl rand -base64 32``. .. note:: Host Side Development Notes diff --git a/sample.env b/sample.env index 7ddec50b0..59844ef56 100644 --- a/sample.env +++ b/sample.env @@ -82,10 +82,10 @@ LTI1P3_PUBLIC_KEY = "-----BEGIN PUBLIC KEY----- MAKE YOUR OWN KEY PAIR AND PASTE PUBLIC KEY HERE -----END PUBLIC KEY-----" -# Insecure Login +# Insecure Login. Set to True or Yes to enable. # Warning! Only use this for development, if you are running a server over http -# that is not localhost -# ALLOW_INSECURE_LOGIN = yes +# that is not localhost. +ALLOW_INSECURE_LOGIN = False # this is used by web2py to decide on how to set the session cookie settings. # In production you will want to change this to https:// @@ -113,4 +113,4 @@ UVICORN_WORKERS=5 GUNICORN_CMD_ARGS="--workers=3 --log-level 'debug'" # Set the log level - for production set this to info or higher -LOG_LEVEL=DEBUG \ No newline at end of file +LOG_LEVEL=DEBUG