Solution: When we look at the code we see the secret_key variable is declared, but right after that it gets the variables from the url. This means we can change to secret_key variable to anything we like.
When we enter the following url (we could have used anything instead of pass, as long as the password and secret_key variable are set to the same value):
we get our flag.
For other challenge write-ups from this CTF see the overview.