fix(extensions-library): require PAPERLESS_SECRET_KEY instead of defaulting to 'change-me'#526
Merged
Lightheartdevs merged 1 commit intoLight-Heart-Labs:resources/devfrom Mar 23, 2026
Conversation
…ulting to 'change-me'
The SECRET_KEY was defaulting to the well-known string 'change-me' via
${:-change-me}, allowing session/CSRF token forgery. Switch to ${:?...}
so compose fails fast when the variable is unset, forcing the deployer
to generate a proper secret.
Closes Light-Heart-Labs#78
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This was referenced Mar 21, 2026
Lightheartdevs
merged commit 1731e5d
into
Light-Heart-Labs:resources/dev
12 of 17 checks passed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Replace the default
change-mevalue forPAPERLESS_SECRET_KEYwith a:?guard that forces explicit configuration.Why
The
SECRET_KEYwas defaulting to the well-known stringchange-mevia${:-change-me}, allowing session/CSRF token forgery. Django uses this key for cryptographic signing of sessions, CSRF tokens, and password reset tokens.How
Switch from
${PAPERLESS_SECRET_KEY:-change-me}to${PAPERLESS_SECRET_KEY:?...}so Compose fails fast when the variable is unset. The error message includes a generation command. The entire env var line is quoted to prevent YAML parsing issues with the colon in the error message.Scope
All changes are within
resources/dev/extensions-library/.services/paperless-ngx/compose.yaml— 1 line changedTesting
python3 -c "import yaml; yaml.safe_load(...)"passedReview
Critique Guardian verdict: APPROVED (after fix)
Merge Order
ext/fix-paperless-depends-on) — same file (paperless-ngx/compose.yaml), different lines. This PR must land first.