chore(security): remove hardcoded security key

Remove hardcoded security key for flask.
Use environment variable instead.

.gitignore

@@ -5,4 +5,5 @@ __pycache__/
 .devcontainer/
 
 src/.pdm-python
-src/htmlcov
+src/htmlcov
+src/.env

.gitlab-ci.yml

@@ -14,6 +14,9 @@ build job:
     - export PATH=/root/.local/bin:$PATH
     - pdm install
 
+    # Set environment variables for the tests
+    - export FLASK_SECRET_KEY=$FLASK_SECRET_KEY
+
     # launch tests
     - export PYTHONPATH=.
     - export FLASK_APP=app

docs/questions-part1.md

@@ -6,3 +6,8 @@
 - **Q1.2**: The secret key for flask is hard coded. Is this good practice? What are the dangers? How could this be fixed?
 - **Q1.3**: Give a short description of *Linter*. Integrate a basic linter like [Flake8](https://flake8.pycqa.org/en/latest/) or [Ruff](https://github.com/astral-sh/ruff) in the existing CI/CD pipeline
 - **Q1.4 (optional)**: The run of the current CI/CD pipeline takes some time. Especially the time to setup the docker with the update and installation of all the dependencies is quite time consuming compared to the real testing time. Do you see any alternatives to speed up this process? Describe and try to implement it in your pipeline.
+
+# Answers - Part 1
+## Q1.2
+- It's a very bad practice. The secret key will be exposed in the codebase and can be easily accessed by anyone who has access to the codebase. This can lead to security vulnerabilities and compromise the integrity of the application.
+- To fix this, you can use environment variables to store the secret key.

src/.env.template

@@ -0,0 +1 @@
+FLASK_SECRET_KEY=

src/app.py

@@ -18,6 +18,10 @@
 from flask import request, Flask, url_for, render_template, redirect
 import operators
 import json
+from dotenv import load_dotenv
+import os
+
+
 
 
 __author__ = 'Michael Mäder'
@@ -36,7 +40,7 @@ A little web application that offers API calls for arithmetic operations
 # creation of the Flask application
 app = Flask(__name__)
 
-app.config['SECRET_KEY'] = 'the-best-secret-ever'   # super secure key against CSRF attacks
+app.config['SECRET_KEY'] = os.environ.get('FLASK_SECRET_KEY')   # super secure key against CSRF attacks
 
 # global variable containing the name of the login user
 global_data = {'username': 'no_user'}

src/pdm.lock

@@ -5,7 +5,7 @@
 groups = ["default"]
 strategy = ["inherit_metadata"]
 lock_version = "4.5.0"
-content_hash = "sha256:5a2be8939d6734b2295f420aee17c34be5958903eb13eba88b45213f3c4c0333"
+content_hash = "sha256:e36fdc748f0c9135da773b2fbab7f45cc5c43e27fad6d39d2de23857da4c1a91"
 
 [[metadata.targets]]
 requires_python = ">3.11"
@@ -177,6 +177,18 @@ files = [
     {file = "coverage-7.6.12.tar.gz", hash = "sha256:48cfc4641d95d34766ad41d9573cc0f22a48aa88d22657a1fe01dca0dbae4de2"},
 ]
 
+[[package]]
+name = "dotenv"
+version = "0.9.9"
+summary = "Deprecated package"
+groups = ["default"]
+dependencies = [
+    "python-dotenv",
+]
+files = [
+    {file = "dotenv-0.9.9-py2.py3-none-any.whl", hash = "sha256:29cf74a087b31dafdb5a446b6d7e11cbce8ed2741540e2339c69fbef92c94ce9"},
+]
+
 [[package]]
 name = "flask"
 version = "3.1.0"
@@ -364,6 +376,17 @@ files = [
     {file = "pytest_cov-6.0.0-py3-none-any.whl", hash = "sha256:eee6f1b9e61008bd34975a4d5bab25801eb31898b032dd55addc93e96fcaaa35"},
 ]
 
+[[package]]
+name = "python-dotenv"
+version = "1.0.1"
+requires_python = ">=3.8"
+summary = "Read key-value pairs from a .env file and set them as environment variables"
+groups = ["default"]
+files = [
+    {file = "python-dotenv-1.0.1.tar.gz", hash = "sha256:e324ee90a023d808f1959c46bcbc04446a10ced277783dc6ee09987c37ec10ca"},
+    {file = "python_dotenv-1.0.1-py3-none-any.whl", hash = "sha256:f7b63ef50f1b690dddf550d03497b66d609393b40b564ed0d674909a68ebf16a"},
+]
+
 [[package]]
 name = "werkzeug"
 version = "3.1.3"

src/pyproject.toml

@@ -10,6 +10,7 @@ dependencies = [
     "pytest-cov>=4.1.0",
     "Flask>=3.0.2",
     "flask-wtf>=1.2.1",
+    "dotenv>=0.9.9",
 ]
 requires-python = ">3.11"
 readme = "README.md"