forked from orbit-oss/flask
secret key rotation: fix key list ordering
The `itsdangerous` serializer interface[1] expects keys to be provided with the oldest key at index zero and the active signing key at the end of the list. We document[2] that `SECRET_KEY_FALLBACKS` should be configured with the most recent first (at index zero), so to achieve the expected behaviour, those should be inserted in reverse-order at the head of the list. [1] - https://itsdangerous.palletsprojects.com/en/stable/serializer/#itsdangerous.serializer.Serializer [2] - https://flask.palletsprojects.com/en/stable/config/#SECRET_KEY_FALLBACKS
This commit is contained in:
James Addison
David Lord
parent
941efd4a36
commit
fb54159861
3 changed files with 15 additions and 5 deletions
|
|
@ -3,6 +3,8 @@ Version 3.1.1
|
|||
|
||||
Unreleased
|
||||
|
||||
- Fix signing key selection order when key rotation is enabled via
|
||||
``SECRET_KEY_FALLBACKS``. :ghsa:`4grg-w6v8-c28g`
|
||||
- Fix type hint for `cli_runner.invoke`. :issue:`5645`
|
||||
- ``flask --help`` loads the app and plugins first to make sure all commands
|
||||
are shown. :issue:5673`
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue