From 9c65723e9d6ab6ac0de0544cea5600a45ef3c4ce Mon Sep 17 00:00:00 2001 From: Phil Skentelbery Date: Sun, 23 Nov 2025 19:36:08 -0700 Subject: [PATCH] fix: Handle empty FLASK_SECRET_KEY in config (v0.9.5) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit os.getenv() returns empty string instead of using default when env var is set but empty. This caused SECRET_KEY to be empty when FLASK_SECRET_KEY="" was in .env, breaking Flask sessions/flash messages. Now treats empty string same as unset, properly falling back to SESSION_SECRET. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- CHANGELOG.md | 8 ++++++++ starpunk/__init__.py | 4 ++-- starpunk/config.py | 6 +++--- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ca85fb0..35fa2a6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [0.9.5] - 2025-11-23 + +### Fixed +- **SECRET_KEY empty string handling**: Fixed config.py to properly handle empty `FLASK_SECRET_KEY` environment variable + - `os.getenv()` returns empty string (not None) when env var is set to `""` + - Empty string now correctly falls back to SESSION_SECRET + - Prevents Flask session/flash failures when FLASK_SECRET_KEY="" in .env file + ## [0.9.4] - 2025-11-22 ### Fixed diff --git a/starpunk/__init__.py b/starpunk/__init__.py index d16fbb8..7eb4118 100644 --- a/starpunk/__init__.py +++ b/starpunk/__init__.py @@ -153,5 +153,5 @@ def create_app(config=None): # Package version (Semantic Versioning 2.0.0) # See docs/standards/versioning-strategy.md for details -__version__ = "0.9.4" -__version_info__ = (0, 9, 4) +__version__ = "0.9.5" +__version_info__ = (0, 9, 5) diff --git a/starpunk/config.py b/starpunk/config.py index a8293df..7d9c00d 100644 --- a/starpunk/config.py +++ b/starpunk/config.py @@ -44,9 +44,9 @@ def load_config(app, config_override=None): ) # Flask secret key (uses SESSION_SECRET by default) - app.config["SECRET_KEY"] = os.getenv( - "FLASK_SECRET_KEY", app.config["SESSION_SECRET"] - ) + # Note: We check for truthy value to handle empty string in .env + flask_secret = os.getenv("FLASK_SECRET_KEY") + app.config["SECRET_KEY"] = flask_secret if flask_secret else app.config["SESSION_SECRET"] # Data paths app.config["DATA_PATH"] = Path(os.getenv("DATA_PATH", "./data"))