diff --git a/backend/.env.example b/backend/.env.example index 715859c..e71656b 100644 --- a/backend/.env.example +++ b/backend/.env.example @@ -1,5 +1,7 @@ # Application settings APP_NAME="Space Booking API" +# DEBUG=true for local dev. In production set DEBUG=false — the app will then +# REFUSE to start unless SECRET_KEY is changed from the default below. DEBUG=true # Database @@ -26,7 +28,18 @@ GOOGLE_CLIENT_ID=your_google_client_id_here GOOGLE_CLIENT_SECRET=your_google_client_secret_here GOOGLE_REDIRECT_URI=http://localhost:8000/api/integrations/google/callback +# Demo seed (LOCAL DEV ONLY). The entrypoint runs seed_db.py only when +# RUN_SEED=1. It plants weak demo accounts/content — never set this in prod. +# RUN_SEED=1 +# ADMIN_PASSWORD= +# MANAGER_PASSWORD= +# USER_PASSWORD= + # === PRODUCTION (Dokploy) === +# Do NOT set RUN_SEED. Tables are auto-created on boot, and the FIRST user to +# register becomes the superadmin (instance owner) — register your own account +# first, immediately after deploy. +# DEBUG=false # SECRET_KEY= # FRONTEND_URL=https://space.roa.romfast.ro # SMTP_ENABLED=true diff --git a/backend/app/api/auth.py b/backend/app/api/auth.py index 2bd8c2e..134d09c 100644 --- a/backend/app/api/auth.py +++ b/backend/app/api/auth.py @@ -63,20 +63,31 @@ async def register( if existing: raise HTTPException(status_code=400, detail="Email already registered") - # Create user (inactive until verified) + # The very first user to register becomes the superadmin (the instance + # owner) and is activated immediately, so the platform can be bootstrapped + # without depending on email/SMTP delivery. + is_first_user = db.query(User).count() == 0 + user = User( email=data.email, hashed_password=get_password_hash(data.password), full_name=data.full_name, organization=data.organization, - role="user", # Default role - is_active=False, # Inactive until email verified + role="superadmin" if is_first_user else "user", + is_active=is_first_user, # First user active immediately; others verify email ) db.add(user) db.commit() db.refresh(user) + # First user is already active — no verification email needed. + if is_first_user: + return { + "message": "Admin account created. You can log in now.", + "email": user.email, + } + # Generate verification token (JWT, expires in 24h) verification_token = jwt.encode( { diff --git a/backend/app/core/config.py b/backend/app/core/config.py index 8a9ccf7..94a6a2d 100644 --- a/backend/app/core/config.py +++ b/backend/app/core/config.py @@ -1,7 +1,19 @@ """Application configuration.""" from typing import List +from pydantic import model_validator from pydantic_settings import BaseSettings, SettingsConfigDict +DEFAULT_SECRET_KEY = "your-secret-key-change-in-production" + +# Known weak/placeholder secrets that must never reach production. +WEAK_SECRET_KEYS = { + DEFAULT_SECRET_KEY, + "change-me-in-production", # docker-compose fallback + "change-me", + "secret", + "changeme", +} + class Settings(BaseSettings): """Application settings.""" @@ -20,7 +32,7 @@ class Settings(BaseSettings): database_url: str = "sqlite:///./space_booking.db" # JWT - secret_key: str = "your-secret-key-change-in-production" + secret_key: str = DEFAULT_SECRET_KEY algorithm: str = "HS256" access_token_expire_minutes: int = 1440 # 24 hours @@ -44,5 +56,17 @@ class Settings(BaseSettings): "https://www.googleapis.com/auth/calendar.events" ] + @model_validator(mode="after") + def _enforce_production_secrets(self) -> "Settings": + """Refuse to boot in production with a weak SECRET_KEY.""" + if not self.debug: + if self.secret_key in WEAK_SECRET_KEYS or len(self.secret_key) < 32: + raise ValueError( + "SECRET_KEY is weak or a placeholder. Set a strong, random value " + "(>= 32 chars) before running in production (DEBUG=false). " + "Generate one with: python -c \"import secrets; print(secrets.token_hex(32))\"" + ) + return self + settings = Settings() diff --git a/backend/app/main.py b/backend/app/main.py index a03a597..52dedd2 100644 --- a/backend/app/main.py +++ b/backend/app/main.py @@ -35,9 +35,14 @@ Base.metadata.create_all(bind=engine) app = FastAPI(title=settings.app_name) # CORS middleware +# In production only the configured frontend is allowed; localhost is dev-only. +_allowed_origins = [settings.frontend_url] +if settings.debug: + _allowed_origins.append("http://localhost:5173") + app.add_middleware( CORSMiddleware, - allow_origins=[settings.frontend_url, "http://localhost:5173"], + allow_origins=_allowed_origins, allow_credentials=True, allow_methods=["*"], allow_headers=["*"], diff --git a/backend/entrypoint.sh b/backend/entrypoint.sh old mode 100644 new mode 100755 index 4be7ecc..98df0e5 --- a/backend/entrypoint.sh +++ b/backend/entrypoint.sh @@ -1,6 +1,17 @@ #!/bin/bash set -e -echo "[entrypoint] Running database seed..." -python seed_db.py + +# Database tables are created automatically on application startup +# (app/main.py runs Base.metadata.create_all). The first user to register +# becomes the superadmin (the instance owner), so no admin seeding is needed. +# +# The demo seed (seed_db.py) plants sample accounts and content for LOCAL +# DEVELOPMENT only. It is opt-in: set RUN_SEED=1 to enable it. Never set +# RUN_SEED=1 in production. +if [ "${RUN_SEED}" = "1" ]; then + echo "[entrypoint] RUN_SEED=1 -> running demo database seed..." + python seed_db.py +fi + echo "[entrypoint] Starting application..." exec "$@" diff --git a/backend/seed_db.py b/backend/seed_db.py index f49182e..ff6162c 100644 --- a/backend/seed_db.py +++ b/backend/seed_db.py @@ -1,4 +1,7 @@ """Seed database with initial data for multi-property system.""" +import os + +from app.core.config import settings from app.core.security import get_password_hash from app.db.session import Base, SessionLocal, engine from app.models.organization import Organization @@ -13,6 +16,20 @@ from app.models.user import User def seed_database() -> None: """Create initial data for testing multi-property system.""" + # Safety guard: refuse to plant demo accounts in production unless the + # operator explicitly opts in AND supplies non-default passwords via env. + if not settings.debug and os.getenv("ALLOW_PROD_SEED") != "1": + raise SystemExit( + "Refusing to seed in production (DEBUG=false). " + "Demo accounts use weak, public passwords. " + "Set ALLOW_PROD_SEED=1 and override ADMIN_PASSWORD/MANAGER_PASSWORD/USER_PASSWORD " + "if you really mean to." + ) + + admin_password = os.getenv("ADMIN_PASSWORD", "adminpassword") + manager_password = os.getenv("MANAGER_PASSWORD", "managerpassword") + user_password = os.getenv("USER_PASSWORD", "userpassword") + # Create tables Base.metadata.create_all(bind=engine) @@ -28,7 +45,7 @@ def seed_database() -> None: superadmin = User( email="admin@example.com", full_name="Super Admin", - hashed_password=get_password_hash("adminpassword"), + hashed_password=get_password_hash(admin_password), role="superadmin", organization="Management", is_active=True, @@ -39,7 +56,7 @@ def seed_database() -> None: manager = User( email="manager@example.com", full_name="Property Manager", - hashed_password=get_password_hash("managerpassword"), + hashed_password=get_password_hash(manager_password), role="manager", organization="Management", is_active=True, @@ -50,7 +67,7 @@ def seed_database() -> None: user = User( email="user@example.com", full_name="Regular User", - hashed_password=get_password_hash("userpassword"), + hashed_password=get_password_hash(user_password), role="user", organization="Engineering", is_active=True, @@ -160,9 +177,9 @@ def seed_database() -> None: db.commit() print("Database seeded successfully!") - print("Superadmin: admin@example.com / adminpassword") - print("Manager: manager@example.com / managerpassword") - print("User: user@example.com / userpassword") + print("Superadmin: admin@example.com (password from ADMIN_PASSWORD env)") + print("Manager: manager@example.com (password from MANAGER_PASSWORD env)") + print("User: user@example.com (password from USER_PASSWORD env)") print(f"Properties: '{prop1.name}' (public), '{prop2.name}' (private)") print(f"Organizations: '{org1.name}', '{org2.name}'") except Exception as e: diff --git a/frontend/src/views/Login.vue b/frontend/src/views/Login.vue index 545e8e9..808674c 100644 --- a/frontend/src/views/Login.vue +++ b/frontend/src/views/Login.vue @@ -41,12 +41,6 @@

Don't have an account? Register

- -
-

Demo Accounts:

-

Admin: admin@example.com / adminpassword

-

User: user@example.com / userpassword

-
@@ -129,24 +123,6 @@ h2 { text-decoration: underline; } -.demo-accounts { - margin-top: 2rem; - padding-top: 1.5rem; - border-top: 1px solid var(--color-border); - font-size: 0.9rem; - color: var(--color-text-secondary); -} - -.demo-title { - font-weight: 600; - margin-bottom: 0.5rem; - color: var(--color-text-primary); -} - -.demo-accounts p { - margin: 0.25rem 0; -} - .error { margin-top: 1rem; padding: 0.75rem;