Autogenerate SECRET_KEY or use given one (#2267)

ObadaS · Obada Haddad · Didayolo · web-flow · commit c896ce6fecbf · 2026-03-23T14:46:01.000+01:00
* make secret key auto generate and write into .env if it does not already exist, otherwise use exsiting key

* remove secret_key in .env_sample and .env_circleci

* Make code more robust

* add back '' to fix rare warnings

---------

Co-authored-by: Obada Haddad &lt;obada.haddad@lisn.fr&gt;
Co-authored-by: didayolo &lt;adrien.pavao@gmail.com&gt;
diff --git a/.env_circleci b/.env_circleci
@@ -1,5 +1,3 @@
-SECRET_KEY=change-this-secret
-
 DB_HOST=db
 DB_NAME=postgres
 DB_USERNAME=postgres
@@ -35,4 +33,4 @@ DJANGO_SUPERUSER_EMAIL=test@test.com
 DJANGO_SUPERUSER_USERNAME=codabench
 DOMAIN_NAME=localhost:80
 TLS_EMAIL=your@email.com
-SUBMISSIONS_API_URL=http://django:8000/api
+SUBMISSIONS_API_URL=http://django:8000/api
diff --git a/.env_sample b/.env_sample
@@ -1,7 +1,5 @@
-SECRET_KEY=change-this-secret
-
 # For local setup and debug
-DEBUG=True
+DEBUG=False
 
 # Database
 DB_HOST=db
diff --git a/pyproject.toml b/pyproject.toml
@@ -66,6 +66,7 @@ dependencies = [
     "django-filter==25.1",
     "django-cors-headers==4.9.0",
     "nh3==0.3.3",
+    "configobj==5.0.9",
 ]
 
 [tool.uv]
diff --git a/src/settings/base.py b/src/settings/base.py
@@ -5,6 +5,8 @@
 from celery import signals
 import dj_database_url
 from .logs_loguru import configure_logging
+from django.core.management.utils import get_random_secret_key
+import configobj
 
 
 BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
@@ -125,7 +127,24 @@
 USE_I18N = True
 USE_L10N = True
 USE_TZ = True
-SECRET_KEY = os.environ.get("SECRET_KEY", '(*0&74%ihg0ui+400+@%2pe92_c)x@w2m%6s(jhs^)dc$&&g93')
+
+# =============================================================================
+# Secret key (generate one if none is given, otherwise use given key)
+# =============================================================================
+# This is needed when the secret key is generated for the first time as it won't be loaded as an environment variable
+config = configobj.ConfigObj('.env')
+with open(".env", "a+") as f:
+    secret_key_count = 0
+    f.seek(0)
+    for x in f:
+        if x.strip().startswith("SECRET_KEY="):
+            secret_key_count = 1
+            SECRET_KEY = os.environ.get("SECRET_KEY", config['SECRET_KEY'])
+            break
+    if secret_key_count == 0:
+        SECRET_KEY = get_random_secret_key()
+        f.write(f"\nSECRET_KEY='{SECRET_KEY}'\n")
+
 LOGIN_REDIRECT_URL = '/'
 LOGOUT_REDIRECT_URL = '/'
 
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -66,6 +66,7 @@ dependencies = [`
`66`	`66`	`"django-filter==25.1",`
`67`	`67`	`"django-cors-headers==4.9.0",`
`68`	`68`	`"nh3==0.3.3",`
	`69`	`+ "configobj==5.0.9",`
`69`	`70`	`]`
`70`	`71`
`71`	`72`	`[tool.uv]`