SECURITY_PASSWORD_SALT must not be None - flask security

Asked 5/10, 2018 at 9:39 Answered 27/5, 2020 at 18:54

This question is related to: Unique Salt per User using Flask-Security, but I'm more concerned with removing this error message.

The linked question established that flask-security uses per-user salts, which is good since a global salt is pointless.

So my question is what's the point of this configuration variable, and what should I set it to to resolve this error? Does it matter what I set it to?
I don't think I need a global salt since flask-security uses passlib which takes care of salts for me.

(The error message in the title occurs even when copying the example straight from the docs: (peewee example))

Regarding answered 5/10, 2018 at 9:39 Comment(0)

The global "salt" you specify in SECURITY_PASSWORD_SALT is combined with the unique salt generated for each password that gets created. That combined value is then used to salt the password when it gets hashed. So yes, you do need to set this, it's not a spurious error.

(Others have noted that it's quite confusing to refer to this as a salt, when that strongly implies that the value in this variable is going to be used to salt the password for every user. Fortunately, that's not what happens.)

Here are some options for generating a random string.

Hankypanky answered 5/3, 2019 at 23:55 Comment(2)

How do you set the SECURITY_PASSWORD_SALT? – Appalachian 26/7, 2019 at 13:17

It's one of the Flask-Security configuration variables. So in its simplest form that could look like app.config['SECURITY_PASSWORD_SALT'] = 'MY_SALT'. More here. – Hankypanky 26/7, 2019 at 20:31

Usually the SECRET_KEY value is set in a Flask app. A simple solution to the error with Flask-Security is add this line to your Flask application:

if 'SECURITY_PASSWORD_SALT' not in app.config:
    app.config['SECURITY_PASSWORD_SALT'] = app.config['SECRET_KEY']

Subbase answered 27/5, 2020 at 18:54 Comment(0)

Recommended topics

Hot tags