feat(security): harden for production deployment

- auth: first registered user becomes superadmin (active immediately)
- entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1)
- config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars)
- main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only)
- seed_db: block prod seeding, read passwords from env, stop printing them
- login: remove demo account credentials from UI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Claude Agent
2026-06-25 19:44:20 +00:00
parent 953f3121cf
commit 7ce430cc1d
7 changed files with 94 additions and 37 deletions

View File

@@ -41,12 +41,6 @@
<p class="register-link">
Don't have an account? <router-link to="/register">Register</router-link>
</p>
<div class="demo-accounts">
<p class="demo-title">Demo Accounts:</p>
<p><strong>Admin:</strong> admin@example.com / adminpassword</p>
<p><strong>User:</strong> user@example.com / userpassword</p>
</div>
</div>
</div>
</template>
@@ -129,24 +123,6 @@ h2 {
text-decoration: underline;
}
.demo-accounts {
margin-top: 2rem;
padding-top: 1.5rem;
border-top: 1px solid var(--color-border);
font-size: 0.9rem;
color: var(--color-text-secondary);
}
.demo-title {
font-weight: 600;
margin-bottom: 0.5rem;
color: var(--color-text-primary);
}
.demo-accounts p {
margin: 0.25rem 0;
}
.error {
margin-top: 1rem;
padding: 0.75rem;