config keys should be prefixed

[davidism]

Extensions should namespace any values they use in app.config and g with their name (without the "Flask-" prefix). It's usually a good idea to set the default config in init_app as well and access them with []. This makes it easier to reason about what extension manages what config.

Flask-Login currently uses the following keys:

• USE_SESSION_FOR_NEXT, default False
• REMEMBER_COOKIE_NAME, default "remember_token"
• REMEMBER_COOKIE_DOMAIN, default None
• REMEMBER_COOKIE_PATH, default "/"
• REMEMBER_COOKIE_SECURE, default False
• REMEMBER_COOKIE_HTTPONLY, default True
• REMEMBER_COOKIE_SAMESITE, default None
• REMEMBER_COOKIE_DURATION, default timedelta(days=365), converts int
• REMEMBER_COOKIE_REFRESH_EACH_REQUEST, default None, should probably be False
• AUTH_HEADER_NAME, default "Authorization", removed in 0.7 along with header_loader
• SESSION_PROTECTION, default self.session_protection, default "basic"
• FORCE_HOST_FOR_REDIRECTS, default None
• LOGIN_DISABLED, default False

[davidism]

I'm considering whether we should get rid of a lot of the REMEMBER_COOKIE_ config and have it use the same values as Flask's SESSION_ config. It seems the only ones that should ever be different are NAME and DURATION.

[jwag956]

In Flask-Security-Too - I have 2 config variables - one for the name, the other is a dict which is passed straight to response.set_cookie.

Such as:
"CSRF_COOKIE_NAME": None, "CSRF_COOKIE": { "samesite": "Strict", "httponly": False, "secure": False, },

[davidism]

Nowadays I'm moving to dicts as well, since app.config.from_prefixed_env supports nested keys. If I get to this eventually, I'll look into it.