feat(security): harden for production deployment

- auth: first registered user becomes superadmin (active immediately)
- entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1)
- config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars)
- main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only)
- seed_db: block prod seeding, read passwords from env, stop printing them
- login: remove demo account credentials from UI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude Agent
2026-06-25 19:44:20 +00:00
parent 953f3121cf
commit 7ce430cc1d
7 changed files with 94 additions and 37 deletions

View File

@@ -63,20 +63,31 @@ async def register(
if existing:
raise HTTPException(status_code=400, detail="Email already registered")
# Create user (inactive until verified)
# The very first user to register becomes the superadmin (the instance
# owner) and is activated immediately, so the platform can be bootstrapped
# without depending on email/SMTP delivery.
is_first_user = db.query(User).count() == 0
user = User(
email=data.email,
hashed_password=get_password_hash(data.password),
full_name=data.full_name,
organization=data.organization,
role="user", # Default role
is_active=False, # Inactive until email verified
role="superadmin" if is_first_user else "user",
is_active=is_first_user, # First user active immediately; others verify email
)
db.add(user)
db.commit()
db.refresh(user)
# First user is already active — no verification email needed.
if is_first_user:
return {
"message": "Admin account created. You can log in now.",
"email": user.email,
}
# Generate verification token (JWT, expires in 24h)
verification_token = jwt.encode(
{