enable secret key rotation

2024-11-08 08:09:01 -08:00 · 2024-11-08 08:09:01 -08:00 · e13373f838
commit e13373f838
parent 7522c4bcdb
9 changed files with 55 additions and 7 deletions
--- a/src/flask/app.py
+++ b/src/flask/app.py
@ -180,6 +180,7 @@ class Flask(App):
            "TESTING": False,
            "PROPAGATE_EXCEPTIONS": None,
            "SECRET_KEY": None,
+            "SECRET_KEY_FALLBACKS": None,
            "PERMANENT_SESSION_LIFETIME": timedelta(days=31),
            "USE_X_SENDFILE": False,
            "SERVER_NAME": None,
--- a/src/flask/sessions.py
+++ b/src/flask/sessions.py
@ -315,14 +315,20 @@ class SecureCookieSessionInterface(SessionInterface):
    def get_signing_serializer(self, app: Flask) -> URLSafeTimedSerializer | None:
        if not app.secret_key:
            return None
-        signer_kwargs = dict(
-            key_derivation=self.key_derivation, digest_method=self.digest_method
-        )
+
+        keys: list[str | bytes] = [app.secret_key]
+
+        if fallbacks := app.config["SECRET_KEY_FALLBACKS"]:
+            keys.extend(fallbacks)
+
        return URLSafeTimedSerializer(
-            app.secret_key,
+            keys,  # type: ignore[arg-type]
            salt=self.salt,
            serializer=self.serializer,
-            signer_kwargs=signer_kwargs,
+            signer_kwargs={
+                "key_derivation": self.key_derivation,
+                "digest_method": self.digest_method,
+            },
        )

    def open_session(self, app: Flask, request: Request) -> SecureCookieSession | None: