feat(security): harden for production deployment

- auth: first registered user becomes superadmin (active immediately)
- entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1)
- config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars)
- main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only)
- seed_db: block prod seeding, read passwords from env, stop printing them
- login: remove demo account credentials from UI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude Agent
2026-06-25 19:44:20 +00:00
parent 953f3121cf
commit 7ce430cc1d
7 changed files with 94 additions and 37 deletions

View File

@@ -63,20 +63,31 @@ async def register(
if existing:
raise HTTPException(status_code=400, detail="Email already registered")
# Create user (inactive until verified)
# The very first user to register becomes the superadmin (the instance
# owner) and is activated immediately, so the platform can be bootstrapped
# without depending on email/SMTP delivery.
is_first_user = db.query(User).count() == 0
user = User(
email=data.email,
hashed_password=get_password_hash(data.password),
full_name=data.full_name,
organization=data.organization,
role="user", # Default role
is_active=False, # Inactive until email verified
role="superadmin" if is_first_user else "user",
is_active=is_first_user, # First user active immediately; others verify email
)
db.add(user)
db.commit()
db.refresh(user)
# First user is already active — no verification email needed.
if is_first_user:
return {
"message": "Admin account created. You can log in now.",
"email": user.email,
}
# Generate verification token (JWT, expires in 24h)
verification_token = jwt.encode(
{

View File

@@ -1,7 +1,19 @@
"""Application configuration."""
from typing import List
from pydantic import model_validator
from pydantic_settings import BaseSettings, SettingsConfigDict
DEFAULT_SECRET_KEY = "your-secret-key-change-in-production"
# Known weak/placeholder secrets that must never reach production.
WEAK_SECRET_KEYS = {
DEFAULT_SECRET_KEY,
"change-me-in-production", # docker-compose fallback
"change-me",
"secret",
"changeme",
}
class Settings(BaseSettings):
"""Application settings."""
@@ -20,7 +32,7 @@ class Settings(BaseSettings):
database_url: str = "sqlite:///./space_booking.db"
# JWT
secret_key: str = "your-secret-key-change-in-production"
secret_key: str = DEFAULT_SECRET_KEY
algorithm: str = "HS256"
access_token_expire_minutes: int = 1440 # 24 hours
@@ -44,5 +56,17 @@ class Settings(BaseSettings):
"https://www.googleapis.com/auth/calendar.events"
]
@model_validator(mode="after")
def _enforce_production_secrets(self) -> "Settings":
"""Refuse to boot in production with a weak SECRET_KEY."""
if not self.debug:
if self.secret_key in WEAK_SECRET_KEYS or len(self.secret_key) < 32:
raise ValueError(
"SECRET_KEY is weak or a placeholder. Set a strong, random value "
"(>= 32 chars) before running in production (DEBUG=false). "
"Generate one with: python -c \"import secrets; print(secrets.token_hex(32))\""
)
return self
settings = Settings()

View File

@@ -35,9 +35,14 @@ Base.metadata.create_all(bind=engine)
app = FastAPI(title=settings.app_name)
# CORS middleware
# In production only the configured frontend is allowed; localhost is dev-only.
_allowed_origins = [settings.frontend_url]
if settings.debug:
_allowed_origins.append("http://localhost:5173")
app.add_middleware(
CORSMiddleware,
allow_origins=[settings.frontend_url, "http://localhost:5173"],
allow_origins=_allowed_origins,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],