feat(security): harden for production deployment
- auth: first registered user becomes superadmin (active immediately) - entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1) - config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars) - main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only) - seed_db: block prod seeding, read passwords from env, stop printing them - login: remove demo account credentials from UI Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -63,20 +63,31 @@ async def register(
|
||||
if existing:
|
||||
raise HTTPException(status_code=400, detail="Email already registered")
|
||||
|
||||
# Create user (inactive until verified)
|
||||
# The very first user to register becomes the superadmin (the instance
|
||||
# owner) and is activated immediately, so the platform can be bootstrapped
|
||||
# without depending on email/SMTP delivery.
|
||||
is_first_user = db.query(User).count() == 0
|
||||
|
||||
user = User(
|
||||
email=data.email,
|
||||
hashed_password=get_password_hash(data.password),
|
||||
full_name=data.full_name,
|
||||
organization=data.organization,
|
||||
role="user", # Default role
|
||||
is_active=False, # Inactive until email verified
|
||||
role="superadmin" if is_first_user else "user",
|
||||
is_active=is_first_user, # First user active immediately; others verify email
|
||||
)
|
||||
|
||||
db.add(user)
|
||||
db.commit()
|
||||
db.refresh(user)
|
||||
|
||||
# First user is already active — no verification email needed.
|
||||
if is_first_user:
|
||||
return {
|
||||
"message": "Admin account created. You can log in now.",
|
||||
"email": user.email,
|
||||
}
|
||||
|
||||
# Generate verification token (JWT, expires in 24h)
|
||||
verification_token = jwt.encode(
|
||||
{
|
||||
|
||||
@@ -1,7 +1,19 @@
|
||||
"""Application configuration."""
|
||||
from typing import List
|
||||
from pydantic import model_validator
|
||||
from pydantic_settings import BaseSettings, SettingsConfigDict
|
||||
|
||||
DEFAULT_SECRET_KEY = "your-secret-key-change-in-production"
|
||||
|
||||
# Known weak/placeholder secrets that must never reach production.
|
||||
WEAK_SECRET_KEYS = {
|
||||
DEFAULT_SECRET_KEY,
|
||||
"change-me-in-production", # docker-compose fallback
|
||||
"change-me",
|
||||
"secret",
|
||||
"changeme",
|
||||
}
|
||||
|
||||
|
||||
class Settings(BaseSettings):
|
||||
"""Application settings."""
|
||||
@@ -20,7 +32,7 @@ class Settings(BaseSettings):
|
||||
database_url: str = "sqlite:///./space_booking.db"
|
||||
|
||||
# JWT
|
||||
secret_key: str = "your-secret-key-change-in-production"
|
||||
secret_key: str = DEFAULT_SECRET_KEY
|
||||
algorithm: str = "HS256"
|
||||
access_token_expire_minutes: int = 1440 # 24 hours
|
||||
|
||||
@@ -44,5 +56,17 @@ class Settings(BaseSettings):
|
||||
"https://www.googleapis.com/auth/calendar.events"
|
||||
]
|
||||
|
||||
@model_validator(mode="after")
|
||||
def _enforce_production_secrets(self) -> "Settings":
|
||||
"""Refuse to boot in production with a weak SECRET_KEY."""
|
||||
if not self.debug:
|
||||
if self.secret_key in WEAK_SECRET_KEYS or len(self.secret_key) < 32:
|
||||
raise ValueError(
|
||||
"SECRET_KEY is weak or a placeholder. Set a strong, random value "
|
||||
"(>= 32 chars) before running in production (DEBUG=false). "
|
||||
"Generate one with: python -c \"import secrets; print(secrets.token_hex(32))\""
|
||||
)
|
||||
return self
|
||||
|
||||
|
||||
settings = Settings()
|
||||
|
||||
@@ -35,9 +35,14 @@ Base.metadata.create_all(bind=engine)
|
||||
app = FastAPI(title=settings.app_name)
|
||||
|
||||
# CORS middleware
|
||||
# In production only the configured frontend is allowed; localhost is dev-only.
|
||||
_allowed_origins = [settings.frontend_url]
|
||||
if settings.debug:
|
||||
_allowed_origins.append("http://localhost:5173")
|
||||
|
||||
app.add_middleware(
|
||||
CORSMiddleware,
|
||||
allow_origins=[settings.frontend_url, "http://localhost:5173"],
|
||||
allow_origins=_allowed_origins,
|
||||
allow_credentials=True,
|
||||
allow_methods=["*"],
|
||||
allow_headers=["*"],
|
||||
|
||||
Reference in New Issue
Block a user