From 5b4ae740a2ad980a67d6489af1172c526c070f9a Mon Sep 17 00:00:00 2001
From: Guillaume Beraudo <guillaume.beraudo@camptocamp.com>
Date: Tue, 25 Jun 2019 13:33:46 +0200
Subject: [PATCH] Prevent using unsecure secret

---
 geoportal/c2cgeoportal_geoportal/lib/authentication.py | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/geoportal/c2cgeoportal_geoportal/lib/authentication.py b/geoportal/c2cgeoportal_geoportal/lib/authentication.py
index a70176fc875..44e3bb3772d 100644
--- a/geoportal/c2cgeoportal_geoportal/lib/authentication.py
+++ b/geoportal/c2cgeoportal_geoportal/lib/authentication.py
@@ -44,6 +44,10 @@ def create_authentication(settings):
     http_only = http_only.lower() in ("true", "yes", "1")
     secure = settings.get("authtkt_secure", "True")
     secure = secure.lower() in ("true", "yes", "1")
+    if len(settings["authtkt_secret"]) < 64:
+        raise Exception('"authtkt_secret should be at least 64 characters.'
+                        'See https://docs.pylonsproject.org/projects/pyramid/en/latest/api/session.html')
+
     cookie_authentication_policy = AuthTktAuthenticationPolicy(
         settings["authtkt_secret"],
         callback=defaultgroupsfinder,