feat(security): harden for production deployment

- auth: first registered user becomes superadmin (active immediately)
- entrypoint: no longer seeds demo data in prod (opt-in via RUN_SEED=1)
- config: refuse to boot in prod with weak/placeholder SECRET_KEY (<32 chars)
- main: restrict CORS to FRONTEND_URL only in prod (localhost dev-only)
- seed_db: block prod seeding, read passwords from env, stop printing them
- login: remove demo account credentials from UI

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

backend/.env.example

@@ -1,5 +1,7 @@
 # Application settings
 APP_NAME="Space Booking API"
+# DEBUG=true for local dev. In production set DEBUG=false — the app will then
+# REFUSE to start unless SECRET_KEY is changed from the default below.
 DEBUG=true
 
 # Database
@@ -26,7 +28,18 @@ GOOGLE_CLIENT_ID=your_google_client_id_here
 GOOGLE_CLIENT_SECRET=your_google_client_secret_here
 GOOGLE_REDIRECT_URI=http://localhost:8000/api/integrations/google/callback
 
+# Demo seed (LOCAL DEV ONLY). The entrypoint runs seed_db.py only when
+# RUN_SEED=1. It plants weak demo accounts/content — never set this in prod.
+# RUN_SEED=1
+# ADMIN_PASSWORD=
+# MANAGER_PASSWORD=
+# USER_PASSWORD=
+
 # === PRODUCTION (Dokploy) ===
+# Do NOT set RUN_SEED. Tables are auto-created on boot, and the FIRST user to
+# register becomes the superadmin (instance owner) — register your own account
+# first, immediately after deploy.
+# DEBUG=false
 # SECRET_KEY=<python -c "import secrets; print(secrets.token_hex(32))">
 # FRONTEND_URL=https://space.roa.romfast.ro
 # SMTP_ENABLED=true

backend/app/api/auth.py

@@ -63,20 +63,31 @@ async def register(
     if existing:
         raise HTTPException(status_code=400, detail="Email already registered")
 
-    # Create user (inactive until verified)
+    # The very first user to register becomes the superadmin (the instance
+    # owner) and is activated immediately, so the platform can be bootstrapped
+    # without depending on email/SMTP delivery.
+    is_first_user = db.query(User).count() == 0
+
     user = User(
         email=data.email,
         hashed_password=get_password_hash(data.password),
         full_name=data.full_name,
         organization=data.organization,
-        role="user",  # Default role
-        is_active=False,  # Inactive until email verified
+        role="superadmin" if is_first_user else "user",
+        is_active=is_first_user,  # First user active immediately; others verify email
     )
 
     db.add(user)
     db.commit()
     db.refresh(user)
 
+    # First user is already active — no verification email needed.
+    if is_first_user:
+        return {
+            "message": "Admin account created. You can log in now.",
+            "email": user.email,
+        }
+
     # Generate verification token (JWT, expires in 24h)
     verification_token = jwt.encode(
         {

backend/app/core/config.py

@@ -1,7 +1,19 @@
 """Application configuration."""
 from typing import List
+from pydantic import model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
+DEFAULT_SECRET_KEY = "your-secret-key-change-in-production"
+
+# Known weak/placeholder secrets that must never reach production.
+WEAK_SECRET_KEYS = {
+    DEFAULT_SECRET_KEY,
+    "change-me-in-production",  # docker-compose fallback
+    "change-me",
+    "secret",
+    "changeme",
+}
+
 
 class Settings(BaseSettings):
     """Application settings."""
@@ -20,7 +32,7 @@ class Settings(BaseSettings):
     database_url: str = "sqlite:///./space_booking.db"
 
     # JWT
-    secret_key: str = "your-secret-key-change-in-production"
+    secret_key: str = DEFAULT_SECRET_KEY
     algorithm: str = "HS256"
     access_token_expire_minutes: int = 1440  # 24 hours
 
@@ -44,5 +56,17 @@ class Settings(BaseSettings):
         "https://www.googleapis.com/auth/calendar.events"
     ]
 
+    @model_validator(mode="after")
+    def _enforce_production_secrets(self) -> "Settings":
+        """Refuse to boot in production with a weak SECRET_KEY."""
+        if not self.debug:
+            if self.secret_key in WEAK_SECRET_KEYS or len(self.secret_key) < 32:
+                raise ValueError(
+                    "SECRET_KEY is weak or a placeholder. Set a strong, random value "
+                    "(>= 32 chars) before running in production (DEBUG=false). "
+                    "Generate one with: python -c \"import secrets; print(secrets.token_hex(32))\""
+                )
+        return self
+
 
 settings = Settings()

backend/app/main.py

@@ -35,9 +35,14 @@ Base.metadata.create_all(bind=engine)
 app = FastAPI(title=settings.app_name)
 
 # CORS middleware
+# In production only the configured frontend is allowed; localhost is dev-only.
+_allowed_origins = [settings.frontend_url]
+if settings.debug:
+    _allowed_origins.append("http://localhost:5173")
+
 app.add_middleware(
     CORSMiddleware,
-    allow_origins=[settings.frontend_url, "http://localhost:5173"],
+    allow_origins=_allowed_origins,
     allow_credentials=True,
     allow_methods=["*"],
     allow_headers=["*"],

backend/entrypoint.sh

@@ -1,6 +1,17 @@
 #!/bin/bash
 set -e
-echo "[entrypoint] Running database seed..."
+
+# Database tables are created automatically on application startup
+# (app/main.py runs Base.metadata.create_all). The first user to register
+# becomes the superadmin (the instance owner), so no admin seeding is needed.
+#
+# The demo seed (seed_db.py) plants sample accounts and content for LOCAL
+# DEVELOPMENT only. It is opt-in: set RUN_SEED=1 to enable it. Never set
+# RUN_SEED=1 in production.
+if [ "${RUN_SEED}" = "1" ]; then
+  echo "[entrypoint] RUN_SEED=1 -> running demo database seed..."
   python seed_db.py
+fi
+
 echo "[entrypoint] Starting application..."
 exec "$@"

backend/seed_db.py

@@ -1,4 +1,7 @@
 """Seed database with initial data for multi-property system."""
+import os
+
+from app.core.config import settings
 from app.core.security import get_password_hash
 from app.db.session import Base, SessionLocal, engine
 from app.models.organization import Organization
@@ -13,6 +16,20 @@ from app.models.user import User
 
 def seed_database() -> None:
     """Create initial data for testing multi-property system."""
+    # Safety guard: refuse to plant demo accounts in production unless the
+    # operator explicitly opts in AND supplies non-default passwords via env.
+    if not settings.debug and os.getenv("ALLOW_PROD_SEED") != "1":
+        raise SystemExit(
+            "Refusing to seed in production (DEBUG=false). "
+            "Demo accounts use weak, public passwords. "
+            "Set ALLOW_PROD_SEED=1 and override ADMIN_PASSWORD/MANAGER_PASSWORD/USER_PASSWORD "
+            "if you really mean to."
+        )
+
+    admin_password = os.getenv("ADMIN_PASSWORD", "adminpassword")
+    manager_password = os.getenv("MANAGER_PASSWORD", "managerpassword")
+    user_password = os.getenv("USER_PASSWORD", "userpassword")
+
     # Create tables
     Base.metadata.create_all(bind=engine)
 
@@ -28,7 +45,7 @@ def seed_database() -> None:
         superadmin = User(
             email="admin@example.com",
             full_name="Super Admin",
-            hashed_password=get_password_hash("adminpassword"),
+            hashed_password=get_password_hash(admin_password),
             role="superadmin",
             organization="Management",
             is_active=True,
@@ -39,7 +56,7 @@ def seed_database() -> None:
         manager = User(
             email="manager@example.com",
             full_name="Property Manager",
-            hashed_password=get_password_hash("managerpassword"),
+            hashed_password=get_password_hash(manager_password),
             role="manager",
             organization="Management",
             is_active=True,
@@ -50,7 +67,7 @@ def seed_database() -> None:
         user = User(
             email="user@example.com",
             full_name="Regular User",
-            hashed_password=get_password_hash("userpassword"),
+            hashed_password=get_password_hash(user_password),
             role="user",
             organization="Engineering",
             is_active=True,
@@ -160,9 +177,9 @@ def seed_database() -> None:
 
         db.commit()
         print("Database seeded successfully!")
-        print("Superadmin: admin@example.com / adminpassword")
-        print("Manager: manager@example.com / managerpassword")
-        print("User: user@example.com / userpassword")
+        print("Superadmin: admin@example.com (password from ADMIN_PASSWORD env)")
+        print("Manager: manager@example.com (password from MANAGER_PASSWORD env)")
+        print("User: user@example.com (password from USER_PASSWORD env)")
         print(f"Properties: '{prop1.name}' (public), '{prop2.name}' (private)")
         print(f"Organizations: '{org1.name}', '{org2.name}'")
     except Exception as e:

frontend/src/views/Login.vue

@@ -41,12 +41,6 @@
       <p class="register-link">
         Don't have an account? <router-link to="/register">Register</router-link>
       </p>
-
-      <div class="demo-accounts">
-        <p class="demo-title">Demo Accounts:</p>
-        <p><strong>Admin:</strong> admin@example.com / adminpassword</p>
-        <p><strong>User:</strong> user@example.com / userpassword</p>
-      </div>
     </div>
   </div>
 </template>
@@ -129,24 +123,6 @@ h2 {
   text-decoration: underline;
 }
 
-.demo-accounts {
-  margin-top: 2rem;
-  padding-top: 1.5rem;
-  border-top: 1px solid var(--color-border);
-  font-size: 0.9rem;
-  color: var(--color-text-secondary);
-}
-
-.demo-title {
-  font-weight: 600;
-  margin-bottom: 0.5rem;
-  color: var(--color-text-primary);
-}
-
-.demo-accounts p {
-  margin: 0.25rem 0;
-}
-
 .error {
   margin-top: 1rem;
   padding: 0.75rem;