Drop SHARED_SECRET in favour of EMAIL_SECRET

Originally we used SHARED secret both for email and for the API. That was a bad idea, and now that we're only using this value for one case, I've renamed it to reflect its actual use.
2025-10-30 03:56:23 -05:00 · 2017-06-18 21:54:36 +01:00
parent 8417ac7eeb
commit f66d7e1c2d
9 changed files with 53 additions and 42 deletions
--- a/docs/changelog.rst
+++ b/docs/changelog.rst
@@ -1,6 +1,17 @@
 Changelog
 #########

+* 0.6.0
+  * Abandon the shared-secret trick we were using for the POST API in favour
+    of BasicAuth or Django session.
+  * Fix the POST API so it actually works.  `#236`_
+  * **Breaking change**: We've dropped the use of ``PAPERLESS_SHARED_SECRET``
+    as it was being used both for the API (now replaced with a normal auth)
+    and form email polling.  Now that we're only using it for email, this
+    variable has been renamed to ``PAPERLESS_EMAIL_SECRET``.  The old value
+    will still work for a while, but you should change your config if you've
+    been using the email polling feature.  Thanks to `Joshua Gilman`_ for all
+    the help with this feature.
 * 0.5.0
  * Support for fuzzy matching in the auto-tagger & auto-correspondent systems
    thanks to `Jake Gysland`_'s patch `#220`_.
@@ -11,7 +22,8 @@ Changelog
    thanks to `CkuT`_ for finding this shortcoming and doing the work to get
    it fixed in `#224`_.
  * All of the following changes are thanks to `David Martin`_:
-    * Bumped the dependency on pyocr to 0.4.7 so new users can make use of Tesseract 4 if they so prefer (`#226`_).
+    * Bumped the dependency on pyocr to 0.4.7 so new users can make use of
+    Tesseract 4 if they so prefer (`#226`_).
    * Fixed a number of issues with the automated mail handler (`#227`_, `#228`_)
    * Amended the documentation for better handling of systemd service files (`#229`_)
    * Amended the Django Admin configuration to have nice headers (`#230`_)
@@ -206,6 +218,7 @@ Changelog
 .. _CkuT: https://github.com/CkuT
 .. _David Martin: https://github.com/ddddavidmartin
 .. _Paperless Desktop: https://github.com/thomasbrueggemann/paperless-desktop
+.. _Joshua Gilman: https://github.com/jmgilman

 .. _#20: https://github.com/danielquinn/paperless/issues/20
 .. _#44: https://github.com/danielquinn/paperless/issues/44
@@ -243,4 +256,5 @@ Changelog
 .. _#228: https://github.com/danielquinn/paperless/pull/228
 .. _#229: https://github.com/danielquinn/paperless/pull/229
 .. _#230: https://github.com/danielquinn/paperless/pull/230
+.. _#236: https://github.com/danielquinn/paperless/issues/236

--- a/docs/consumption.rst
+++ b/docs/consumption.rst
@@ -125,7 +125,7 @@ So, with all that in mind, here's what you do to get it running:
   ``PATHS AND FOLDERS`` and ``SECURITY``.
   If you decided to use a subfolder of an existing account, then make sure you
   set ``PAPERLESS_CONSUME_MAIL_INBOX`` accordingly here.  You also have to set
-   the ``PAPERLESS_SHARED_SECRET`` to something you can remember 'cause you'll
+   the ``PAPERLESS_EMAIL_SECRET`` to something you can remember 'cause you'll
   have to include that in every email you send.
 3. Restart the :ref:`consumer <utilities-consumer>`.  The consumer will check
   the configured email account at startup and from then on every 10 minutes
--- a/paperless.conf.example
+++ b/paperless.conf.example
@@ -5,7 +5,7 @@


 ###############################################################################
-####                       Paths  and folders                              ####
+####                         Paths & Folders                               ####
 ###############################################################################

 # This where your documents should go to be consumed.  Make sure that it exists
@@ -39,7 +39,11 @@ PAPERLESS_CONSUME_MAIL_PASS=""

 # Override the default IMAP inbox here. If not set Paperless defaults to
 # "INBOX".
-#PAPERLESS_CONSUME_MAIL_INBOX=""
+#PAPERLESS_CONSUME_MAIL_INBOX="INBOX"
+
+# Any email sent to the target account that does not contain this text will be
+# ignored.
+PAPERLESS_EMAIL_SECRET=""


 ###############################################################################
@@ -61,11 +65,6 @@ PAPERLESS_CONSUME_MAIL_PASS=""
 PAPERLESS_PASSPHRASE="secret"


-# If you intend to consume documents either via HTTP POST or by email, you must
-# have a shared secret here.
-PAPERLESS_SHARED_SECRET=""
-
-
 # The secret key has a default that should be fine so long as you're hosting
 # Paperless on a closed network.  However, if you're putting this anywhere
 # public, you should change the key to something unique and verbose.
--- a/src/documents/forms.py
+++ b/src/documents/forms.py
@@ -13,7 +13,6 @@ from .consumer import Consumer

 class UploadForm(forms.Form):

-    SECRET = settings.SHARED_SECRET
    TYPE_LOOKUP = {
        "application/pdf": Document.TYPE_PDF,
        "image/png": Document.TYPE_PNG,
--- a/src/documents/mail.py
+++ b/src/documents/mail.py
@@ -43,7 +43,10 @@ class Message(Loggable):
    and n attachments, and that we don't care about the message body.
    """

-    SECRET = settings.SHARED_SECRET
+    SECRET = os.getenv(
+        "PAPERLESS_EMAIL_SECRET",
+        os.getenv("PAPERLESS_SHARED_SECRET")  # TODO: Remove after 2017/09
+    )

    def __init__(self, data, group=None):
        """
@@ -153,15 +156,16 @@ class MailFetcher(Loggable):
        Loggable.__init__(self)

        self._connection = None
-        self._host = settings.MAIL_CONSUMPTION["HOST"]
-        self._port = settings.MAIL_CONSUMPTION["PORT"]
-        self._username = settings.MAIL_CONSUMPTION["USERNAME"]
-        self._password = settings.MAIL_CONSUMPTION["PASSWORD"]
-        self._inbox = settings.MAIL_CONSUMPTION["INBOX"]
+        self._host = os.getenv("PAPERLESS_CONSUME_MAIL_HOST")
+        self._port = os.getenv("PAPERLESS_CONSUME_MAIL_PORT")
+        self._username = os.getenv("PAPERLESS_CONSUME_MAIL_USER")
+        self._password = os.getenv("PAPERLESS_CONSUME_MAIL_PASS")
+        self._inbox = os.getenv("PAPERLESS_CONSUME_MAIL_INBOX", "INBOX")

        self._enabled = bool(self._host)

        self.last_checked = datetime.datetime.now()
+        print(self._connection, self._host, self._port, self._username, self._password, self._inbox, self._enabled, self.last_checked)

    def pull(self):
        """
--- a/src/paperless/checks.py
+++ b/src/paperless/checks.py
@@ -84,3 +84,20 @@ def binaries_check(app_configs, **kwargs):
            check_messages.append(Warning(error.format(binary), hint))

    return check_messages
+
+
+@register()
+def config_check(app_configs, **kwargs):
+    warning = (
+        "It looks like you have PAPERLESS_SHARED_SECRET defined.  Note that "
+        "in the \npast, this variable was used for both API authentication "
+        "and as the mail \nkeyword.  As the API no no longer uses it, this "
+        "variable has been renamed to \nPAPERLESS_EMAIL_SECRET, so if you're "
+        "using the mail feature, you'd best update \nyour variable name.\n\n"
+        "The old variable will stop working in a few months."
+    )
+
+    if os.getenv("PAPERLESS_SHARED_SECRET"):
+        return [Warning(warning)]
+
+    return []
--- a/src/paperless/settings.py
+++ b/src/paperless/settings.py
@@ -237,20 +237,6 @@ CONSUMPTION_DIR = os.getenv("PAPERLESS_CONSUMPTION_DIR")
 # slowly, you may want to use a higher value than the default.
 CONSUMER_LOOP_TIME = int(os.getenv("PAPERLESS_CONSUMER_LOOP_TIME", 10))

-# If you want to use IMAP mail consumption, populate this with useful values.
-# If you leave HOST set to None, we assume you're not going to use this
-# feature.
-MAIL_CONSUMPTION = {
-    "HOST": os.getenv("PAPERLESS_CONSUME_MAIL_HOST"),
-    "PORT": os.getenv("PAPERLESS_CONSUME_MAIL_PORT"),
-    "USERNAME": os.getenv("PAPERLESS_CONSUME_MAIL_USER"),
-    "PASSWORD": os.getenv("PAPERLESS_CONSUME_MAIL_PASS"),
-    # If True, use SSL/TLS to connect
-    "USE_SSL": os.getenv("PAPERLESS_CONSUME_MAIL_USE_SSL", "y").lower() == "y",
-    # The name of the inbox on the server
-    "INBOX": os.getenv("PAPERLESS_CONSUME_MAIL_INBOX", "INBOX")
-}
-
 # This is used to encrypt the original documents and decrypt them later when
 # you want to download them.  Set it and change the permissions on this file to
 # 0600, or set it to `None` and you'll be prompted for the passphrase at
@@ -260,11 +246,6 @@ MAIL_CONSUMPTION = {
 # files.
 PASSPHRASE = os.getenv("PAPERLESS_PASSPHRASE")

-# If you intend to use the "API" to push files into the consumer, you'll need
-# to provide a shared secret here.  Leaving this as the default will disable
-# the API.
-SHARED_SECRET = os.getenv("PAPERLESS_SHARED_SECRET", "")
-
 # Trigger a script after every successful document consumption?
 PRE_CONSUME_SCRIPT = os.getenv("PAPERLESS_PRE_CONSUME_SCRIPT")
 POST_CONSUME_SCRIPT = os.getenv("PAPERLESS_POST_CONSUME_SCRIPT")
--- a/src/paperless/urls.py
+++ b/src/paperless/urls.py
@@ -34,18 +34,15 @@ urlpatterns = [
        name="fetch"
    ),

+    # File uploads
+    url(r"^push$", csrf_exempt(PushView.as_view()), name="push"),
+
    # The Django admin
    url(r"admin/", admin.site.urls),
    url(r"", admin.site.urls),  # This is going away

 ] + static.static(settings.MEDIA_URL, document_root=settings.MEDIA_ROOT)

-if settings.SHARED_SECRET:
-    urlpatterns.insert(
-        0,
-        url(r"^push$", csrf_exempt(PushView.as_view()), name="push")
-    )
-
 # Text in each page's <h1> (and above login form).
 admin.site.site_header = 'Paperless'
 # Text at the end of each page's <title>.
--- a/src/paperless/version.py
+++ b/src/paperless/version.py
@@ -1 +1 @@
-__version__ = (0, 5, 0)
+__version__ = (0, 6, 0)