mirror of
https://github.com/escalante29/WealthySmart.git
synced 2026-07-17 10:08:46 +02:00
Fail fast on missing or weak auth secrets; 7-day tokens
SECRET_KEY, ADMIN_USERNAME, and ADMIN_PASSWORD no longer have working defaults: the backend refuses to boot if they are unset, default, or weak (SEC-01). Token expiry drops from 30 to 7 days (SEC-05). New COOKIE_SECURE (default true) and CORS_ORIGINS settings. Dev compose now sources credentials from .env with required-var errors instead of hardcoding them (ARCH-14); .env.example documents the template. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
This commit is contained in:
26
.env.example
Normal file
26
.env.example
Normal file
@@ -0,0 +1,26 @@
|
|||||||
|
# WealthySmart environment template.
|
||||||
|
# Copy to .env for local development. Production values live in Gitea Actions
|
||||||
|
# secrets and are written to .env.prod by .github/workflows/deploy.yml on every
|
||||||
|
# deploy — new variables must be added BOTH there and here.
|
||||||
|
|
||||||
|
# ── Database (dev compose; must match the wealthysmart-db-dev volume) ────────
|
||||||
|
POSTGRES_USER=wealthy_user
|
||||||
|
POSTGRES_PASSWORD=wealthy_pass
|
||||||
|
POSTGRES_DB=wealthysmart
|
||||||
|
|
||||||
|
# ── Auth (REQUIRED — the backend refuses to boot without these) ──────────────
|
||||||
|
# Generate with: openssl rand -hex 32
|
||||||
|
SECRET_KEY=
|
||||||
|
ADMIN_USERNAME=admin
|
||||||
|
# Must not be "admin".
|
||||||
|
ADMIN_PASSWORD=
|
||||||
|
# Cookies require HTTPS when true. Set false for local HTTP development.
|
||||||
|
COOKIE_SECURE=false
|
||||||
|
|
||||||
|
# ── Push notifications (optional in dev) ─────────────────────────────────────
|
||||||
|
VAPID_PRIVATE_KEY=
|
||||||
|
VAPID_PUBLIC_KEY=
|
||||||
|
|
||||||
|
# ── AI agent (optional in dev; Asistente won't work without it) ──────────────
|
||||||
|
OPENAI_API_KEY=
|
||||||
|
AGENT_MODEL=gpt-5.4-mini
|
||||||
@@ -13,6 +13,10 @@ Personal finance management web app.
|
|||||||
cd frontend && pnpm install && pnpm run dev
|
cd frontend && pnpm install && pnpm run dev
|
||||||
```
|
```
|
||||||
|
|
||||||
|
The backend refuses to boot without `SECRET_KEY`, `ADMIN_USERNAME`, and
|
||||||
|
`ADMIN_PASSWORD` (no insecure defaults). Copy `.env.example` to `.env` and fill
|
||||||
|
it in; the dev docker-compose reads it.
|
||||||
|
|
||||||
## Local Docker
|
## Local Docker
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
|
|||||||
@@ -1,12 +1,19 @@
|
|||||||
|
from pydantic import model_validator
|
||||||
from pydantic_settings import BaseSettings
|
from pydantic_settings import BaseSettings
|
||||||
|
|
||||||
|
|
||||||
class Settings(BaseSettings):
|
class Settings(BaseSettings):
|
||||||
DATABASE_URL: str = "postgresql://wealthy_user:wealthy_pass@db:5432/wealthysmart"
|
DATABASE_URL: str = "postgresql://wealthy_user:wealthy_pass@db:5432/wealthysmart"
|
||||||
SECRET_KEY: str = "change-me-in-production"
|
# No defaults: the app must refuse to boot without real values (see _reject_weak_secrets).
|
||||||
ACCESS_TOKEN_EXPIRE_MINUTES: int = 60 * 24 * 30 # 30 days
|
SECRET_KEY: str
|
||||||
ADMIN_USERNAME: str = "admin"
|
ADMIN_USERNAME: str
|
||||||
ADMIN_PASSWORD: str = "admin"
|
ADMIN_PASSWORD: str
|
||||||
|
ACCESS_TOKEN_EXPIRE_MINUTES: int = 60 * 24 * 7 # 7 days
|
||||||
|
COOKIE_SECURE: bool = True # dev compose sets "false"; prod serves over TLS
|
||||||
|
CORS_ORIGINS: str = (
|
||||||
|
"https://wealth.cescalante.dev,"
|
||||||
|
"http://localhost:3000,http://localhost:3001,http://localhost:5175"
|
||||||
|
)
|
||||||
BCCR_API_EMAIL: str = ""
|
BCCR_API_EMAIL: str = ""
|
||||||
BCCR_API_TOKEN: str = ""
|
BCCR_API_TOKEN: str = ""
|
||||||
VAPID_PRIVATE_KEY: str = ""
|
VAPID_PRIVATE_KEY: str = ""
|
||||||
@@ -15,6 +22,23 @@ class Settings(BaseSettings):
|
|||||||
OPENAI_API_KEY: str = ""
|
OPENAI_API_KEY: str = ""
|
||||||
AGENT_MODEL: str = "gpt-5.4-mini"
|
AGENT_MODEL: str = "gpt-5.4-mini"
|
||||||
|
|
||||||
|
@property
|
||||||
|
def cors_origins_list(self) -> list[str]:
|
||||||
|
return [o.strip() for o in self.CORS_ORIGINS.split(",") if o.strip()]
|
||||||
|
|
||||||
|
@model_validator(mode="after")
|
||||||
|
def _reject_weak_secrets(self) -> "Settings":
|
||||||
|
if len(self.SECRET_KEY) < 32 or self.SECRET_KEY == "change-me-in-production":
|
||||||
|
raise ValueError(
|
||||||
|
"SECRET_KEY must be a random value of at least 32 characters "
|
||||||
|
"(generate one with: openssl rand -hex 32)"
|
||||||
|
)
|
||||||
|
if not self.ADMIN_USERNAME:
|
||||||
|
raise ValueError("ADMIN_USERNAME must be set")
|
||||||
|
if not self.ADMIN_PASSWORD or self.ADMIN_PASSWORD == "admin":
|
||||||
|
raise ValueError("ADMIN_PASSWORD must be set and must not be 'admin'")
|
||||||
|
return self
|
||||||
|
|
||||||
class Config:
|
class Config:
|
||||||
env_file = ".env"
|
env_file = ".env"
|
||||||
|
|
||||||
|
|||||||
@@ -3,15 +3,15 @@ services:
|
|||||||
image: postgres:16-alpine
|
image: postgres:16-alpine
|
||||||
container_name: wealthysmart-db-dev
|
container_name: wealthysmart-db-dev
|
||||||
environment:
|
environment:
|
||||||
POSTGRES_USER: wealthy_user
|
POSTGRES_USER: ${POSTGRES_USER:?set POSTGRES_USER in .env}
|
||||||
POSTGRES_PASSWORD: wealthy_pass
|
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD:?set POSTGRES_PASSWORD in .env}
|
||||||
POSTGRES_DB: wealthysmart
|
POSTGRES_DB: ${POSTGRES_DB:?set POSTGRES_DB in .env}
|
||||||
ports:
|
ports:
|
||||||
- "5433:5432"
|
- "5433:5432"
|
||||||
volumes:
|
volumes:
|
||||||
- postgres_data:/var/lib/postgresql/data
|
- postgres_data:/var/lib/postgresql/data
|
||||||
healthcheck:
|
healthcheck:
|
||||||
test: ["CMD-SHELL", "pg_isready -U wealthy_user -d wealthysmart"]
|
test: ["CMD-SHELL", "pg_isready -U ${POSTGRES_USER} -d ${POSTGRES_DB}"]
|
||||||
interval: 5s
|
interval: 5s
|
||||||
timeout: 3s
|
timeout: 3s
|
||||||
retries: 5
|
retries: 5
|
||||||
@@ -22,7 +22,11 @@ services:
|
|||||||
dockerfile: Dockerfile
|
dockerfile: Dockerfile
|
||||||
container_name: wealthysmart-backend-dev
|
container_name: wealthysmart-backend-dev
|
||||||
environment:
|
environment:
|
||||||
DATABASE_URL: postgresql://wealthy_user:wealthy_pass@db:5432/wealthysmart
|
DATABASE_URL: postgresql://${POSTGRES_USER:?}:${POSTGRES_PASSWORD:?}@db:5432/${POSTGRES_DB:?}
|
||||||
|
SECRET_KEY: ${SECRET_KEY:?set SECRET_KEY in .env (openssl rand -hex 32)}
|
||||||
|
ADMIN_USERNAME: ${ADMIN_USERNAME:?set ADMIN_USERNAME in .env}
|
||||||
|
ADMIN_PASSWORD: ${ADMIN_PASSWORD:?set ADMIN_PASSWORD in .env}
|
||||||
|
COOKIE_SECURE: "false"
|
||||||
VAPID_PRIVATE_KEY: ${VAPID_PRIVATE_KEY:-}
|
VAPID_PRIVATE_KEY: ${VAPID_PRIVATE_KEY:-}
|
||||||
VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY:-}
|
VAPID_PUBLIC_KEY: ${VAPID_PUBLIC_KEY:-}
|
||||||
OPENAI_API_KEY: ${OPENAI_API_KEY:-}
|
OPENAI_API_KEY: ${OPENAI_API_KEY:-}
|
||||||
|
|||||||
Reference in New Issue
Block a user