Signing secret not used

[rclement]

When deploying a Datasette instance to Vercel combined with plugins requiring the signing secret (e.g. datasette-auth-passwords):

• Authentication is disconnected after navigating for a few pages
• The following message appears when logging for the second time: "form-urlencoded POST field did not match cookie"

This is clearly a CSRF token issue. After some investigation, it seems the DATASETTE_SECRET environment variable is not taken into account after deployment:

• datasette publish vercel command generates and sets a Vercel environment variable named DATASETTE_SECRET
• In the serverless function index.py, the DATASETTE_SECRET is never picked up and a new secret is generated (DATASETTE_SECRET is only picked-up by the datasette CLI)
• Quite oftern a new copy of the serverless function is called server-side thus rotating the secret automatically!

The fix seems easy enough, I'll propose a PR to fix the serverless function to pick-up the DATASETTE_SECRET env var.

[rclement]

To debug this issue, here is a simple reproduction setup:

• plugins/debug.py

from datasette import hookimpl
import os


@hookimpl
def extra_template_vars(
    template, database, table, columns, view_name, request, datasette
):
    return {
        "secret": datasette._secret,
        "env_secret": os.environ.get("DATASETTE_SECRET"),
    }

• templates/pages/debug.html

<p>{{ secret }}</p>
<p>{{ env_secret }}</p>

• Deploy:

datasette publish vercel --template-dir templates --plugins-dir plugins --project=ds-debug-secret

• Go to /debug: both values should be equal but they are not