feat(security): harden for production deployment
- auth: first registered user becomes superadmin (active immediately) - entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1) - config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars) - main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only) - seed_db: block prod seeding, read passwords from env, stop printing them - login: remove demo account credentials from UI Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
@@ -35,9 +35,14 @@ Base.metadata.create_all(bind=engine)
|
||||
app = FastAPI(title=settings.app_name)
|
||||
|
||||
# CORS middleware
|
||||
# In production only the configured frontend is allowed; localhost is dev-only.
|
||||
_allowed_origins = [settings.frontend_url]
|
||||
if settings.debug:
|
||||
_allowed_origins.append("http://localhost:5173")
|
||||
|
||||
app.add_middleware(
|
||||
CORSMiddleware,
|
||||
allow_origins=[settings.frontend_url, "http://localhost:5173"],
|
||||
allow_origins=_allowed_origins,
|
||||
allow_credentials=True,
|
||||
allow_methods=["*"],
|
||||
allow_headers=["*"],
|
||||
|
||||
Reference in New Issue
Block a user