feat(security): harden for production deployment
- auth: first registered user becomes superadmin (active immediately) - entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1) - config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars) - main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only) - seed_db: block prod seeding, read passwords from env, stop printing them - login: remove demo account credentials from UI Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
15
backend/entrypoint.sh
Normal file → Executable file
15
backend/entrypoint.sh
Normal file → Executable file
@@ -1,6 +1,17 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
echo "[entrypoint] Running database seed..."
|
||||
python seed_db.py
|
||||
|
||||
# Database tables are created automatically on application startup
|
||||
# (app/main.py runs Base.metadata.create_all). The first user to register
|
||||
# becomes the superadmin (the instance owner), so no admin seeding is needed.
|
||||
#
|
||||
# The demo seed (seed_db.py) plants sample accounts and content for LOCAL
|
||||
# DEVELOPMENT only. It is opt-in: set RUN_SEED=1 to enable it. Never set
|
||||
# RUN_SEED=1 in production.
|
||||
if [ "${RUN_SEED}" = "1" ]; then
|
||||
echo "[entrypoint] RUN_SEED=1 -> running demo database seed..."
|
||||
python seed_db.py
|
||||
fi
|
||||
|
||||
echo "[entrypoint] Starting application..."
|
||||
exec "$@"
|
||||
|
||||
Reference in New Issue
Block a user