Signature mismatch in wsgi multi worker deployment

[keshav-space]

Altcha validation fails due to signature mismatch when running in wsgi deployment with multiple workers.

django-altcha/django_altcha/__init__.py

Line 30 in cd40299

ALTCHA_HMAC_KEY = getattr(settings, "ALTCHA_HMAC_KEY", secrets.token_hex(32))

Fallback key generation does not work reliably in wsgi deployments with multiple workers, since each worker loads django_altcha independently, and each one ends up generating a different ALTCHA_HMAC_KEY key. And when challenge generation and validation happen in different workers, Altcha validation fails due to signature mismatch.

Possible fix would be to make ALTCHA_HMAC_KEY mandatory.

[tdruez]

Possible fix would be to make ALTCHA_HMAC_KEY mandatory.

Yes, I also think this is the right approach. Let's first raise a DeprecationWarning for the next release cycle, so users have the chance to set the ALTCHA_HMAC_KEY value before making it a breaking change.

[tdruez]

By the way, the same issue probably applies to the cache system for replay attack protection, when the ALTCHA_CACHE_ALIAS is not provided and the LocMemCache is used.