Clarify the usage of ALLOW_INSECURE_LOGIN

bases/rsptx/web2py_server/applications/runestone/models/db.py

@@ -703,8 +703,8 @@ def _create_access_token(data: dict, expires=None, scopes=None) -> bytes:
         # if the ALLOW_INSECURE_LOGIN environment variable is set then do not set
         # the httponly, samesite, or secure attributes on the cookie.
         # This is useful for testing purposes, but should not be used in production.
-
-        if not os.environ.get("ALLOW_INSECURE_LOGIN", request.is_local):
+        allow_insecure = os.environ.get("ALLOW_INSECURE_LOGIN", "False").lower() in ["yes", "true"]
+        if not allow_insecure:
             response.cookies["access_token"]["httponly"] = True
             response.cookies["access_token"]["samesite"] = "None"
             response.cookies["access_token"]["secure"] = True

docs/source/environmental_vars.rst

@@ -52,10 +52,10 @@ There are a number of other variables - none of them are important unless you ar
 * ``RUNESTONE_HOST`` *(d)* - this is the canonical host name of the server.  It is used to generate links to the server.  For development you should just set it to ``localhost``. In production it should be something like ``runestone.academy`` or ``runestone.academy:8000`` if you are running on a non-standard port.
 * ``LOAD_BALANCER_HOST`` *(d)* - this is the canonical host name of the server when you are running in production with several workers.  It is used to generate links to the server. For development purposes you should not set this variable. In production it should be something like ``runestone.academy`` or ``runestone.academy:8000`` if you are running on a non-standard port.  You would typically only need to set this or RUNESTONE_HOST.
 * ``NUM_SERVERS`` *(d)* - this is the number of workers you are running. It will default to 1 if not set.  This is only important if you are running in production mode, behind a load balancer.
-* ``ALLOW_INSECURE_LOGIN`` *(d)* - this is a flag that allows users to log in without HTTPS.  This should only be used for development purposes and not in production.  This can be set to ``yes`` or ``true`` in the ``docker-compose.yml`` file for the ``runestone`` service.  If you are running in production mode, you should **not** set this variable.  Note, LTI will not work if this is set.
-* ``LTI1P3_PRIVATE_KEY`` *(d)* - this is the private key used for LTI 1.3 authentication.  It should be a long random string.  You can generate one by running ``openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048``.  
+* ``ALLOW_INSECURE_LOGIN`` *(d)* - this is a flag that allows users to log in without HTTPS.  This should only be used for development purposes and not in production.  This can be set to ``yes`` or ``true`` in the ``.env``.  If you are running in production mode, you should keep this variable set to False.  Note, LTI will not work if this is set.
+* ``LTI1P3_PRIVATE_KEY`` *(d)* - this is the private key used for LTI 1.3 authentication.  It should be a long random string.  You can generate one by running ``openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048``.
 * ``LTI1P3_PUBLIC_KEY`` *(d)* - this is the public key used for LTI 1.3 authentication.  You can generate one by running ``openssl rsa -in private.key -pubout -out public.key``.  This is used to verify the signature of the LTI 1.3 authentication request.
-* ``FERNET_SECRET`` *(d)* - this is the secret used for encrypting and decrypting data.  It is required for encrypted columns. You can generate one by running ``openssl rand -base64 32``.  
+* ``FERNET_SECRET`` *(d)* - this is the secret used for encrypting and decrypting data.  It is required for encrypted columns. You can generate one by running ``openssl rand -base64 32``.
 
 .. note:: Host Side Development Notes
 

sample.env

@@ -82,10 +82,10 @@ LTI1P3_PUBLIC_KEY = "-----BEGIN PUBLIC KEY-----
 MAKE YOUR OWN KEY PAIR AND PASTE PUBLIC KEY HERE
 -----END PUBLIC KEY-----"
 
-# Insecure Login
+# Insecure Login. Set to True or Yes to enable.
 # Warning! Only use this for development, if you are running a server over http
-# that is not localhost
-# ALLOW_INSECURE_LOGIN = yes
+# that is not localhost.
+ALLOW_INSECURE_LOGIN = False
 
 # this is used by web2py to decide on how to set the session cookie settings.
 # In production you will want to change this to https://
@@ -113,4 +113,4 @@ UVICORN_WORKERS=5
 GUNICORN_CMD_ARGS="--workers=3 --log-level 'debug'"
 
 # Set the log level - for production set this to info or higher
-LOG_LEVEL=DEBUG
+LOG_LEVEL=DEBUG