refactor(socialaccount): Move certificate_key into settings

allauth/socialaccount/adapter.py

@@ -1,5 +1,7 @@
 from __future__ import absolute_import
 
+import warnings
+
 from django.core.exceptions import (
     ImproperlyConfigured,
     MultipleObjectsReturned,
@@ -255,11 +257,13 @@ def list_apps(self, request, provider=None, client_id=None):
                     "client_id",
                     "secret",
                     "key",
-                    "certificate_key",
                     "settings",
                 ]:
                     if field in config:
                         setattr(app, field, config[field])
+                if "certificate_key" in config:
+                    warnings.warn("'certificate_key' should be moved into app.settings")
+                    app.settings["certificate_key"] = config["certificate_key"]
                 if client_id and app.client_id != client_id:
                     continue
                 if (

allauth/socialaccount/models.py

@@ -73,13 +73,6 @@ class SocialApp(models.Model):
         # blank=True allows for disabling apps without removing them
         sites = models.ManyToManyField("sites.Site", blank=True)
 
-    # We want to move away from storing secrets in the database. So, we're
-    # putting a halt towards adding more fields for additional secrets, such as
-    # the certificate some providers need. Therefore, the certificate is not a
-    # DB backed field and can only be set using the ``APP`` configuration key
-    # in the provider settings.
-    certificate_key = None
-
     class Meta:
         verbose_name = _("social application")
         verbose_name_plural = _("social applications")

allauth/socialaccount/providers/apple/client.py

@@ -39,7 +39,8 @@ def generate_client_secret(self):
         app = get_adapter(self.request).get_app(self.request, "apple")
         if not app.key:
             raise ImproperlyConfigured("Apple 'key' missing")
-        if not app.certificate_key:
+        certificate_key = app.settings.get("certificate_key")
+        if not certificate_key:
             raise ImproperlyConfigured("Apple 'certificate_key' missing")
         claims = {
             "iss": app.key,
@@ -50,7 +51,7 @@ def generate_client_secret(self):
         }
         headers = {"kid": self.consumer_secret, "alg": "ES256"}
         client_secret = jwt_encode(
-            payload=claims, key=app.certificate_key, algorithm="ES256", headers=headers
+            payload=claims, key=certificate_key, algorithm="ES256", headers=headers
         )
         return client_secret
 

allauth/socialaccount/providers/apple/tests.py

@@ -107,12 +107,14 @@ def sign_id_token(payload):
                 "client_id": "app123id",
                 "key": "apple",
                 "secret": "dummy",
-                "certificate_key": """-----BEGIN PRIVATE KEY-----
+                "settings": {
+                    "certificate_key": """-----BEGIN PRIVATE KEY-----
 MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg2+Eybl8ojH4wB30C
 3/iDkpsrxuPfs3DZ+3nHNghBOpmhRANCAAQSpo1eQ+EpNgQQyQVs/F27dkq3gvAI
 28m95JEk26v64YAea5NTH56mru30RDqTKPgRVi5qRu3XGyqy3mdb8gMy
 -----END PRIVATE KEY-----
 """,
+                },
             }
         }
     },

docs/socialaccount/providers/apple.rst

@@ -28,13 +28,15 @@ Add the following configuration to your settings:
                  # Prefix in your App ID.
                 "key": "MEMAPPIDPREFIX",
 
-                # The certificate you downloaded when generating the key.
-                "certificate_key": """-----BEGIN PRIVATE KEY-----
+                "settings": {
+                    # The certificate you downloaded when generating the key.
+                    "certificate_key": """-----BEGIN PRIVATE KEY-----
     s3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr
     3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3
     c3ts3cr3t
     -----END PRIVATE KEY-----
     """
+                }
             }
         }
     }