🔒️ Ensure the default values of "changethis" are not deployed (#698)

2024-03-12 19:57:02 +01:00
parent 6ed353a072
commit c2555c363f
1 changed files with 23 additions and 1 deletions
--- a/backend/app/core/config.py
+++ b/backend/app/core/config.py
@@ -1,4 +1,5 @@
 import secrets
+import warnings
 from typing import Annotated, Any, Literal

 from pydantic import (
@@ -76,7 +77,7 @@ class Settings(BaseSettings):
    EMAILS_FROM_NAME: str | None = None

    @model_validator(mode="after")
-    def set_default_emails_from(self) -> Self:
+    def _set_default_emails_from(self) -> Self:
        if not self.EMAILS_FROM_NAME:
            self.EMAILS_FROM_NAME = self.PROJECT_NAME
        return self
@@ -95,5 +96,26 @@ class Settings(BaseSettings):
    FIRST_SUPERUSER_PASSWORD: str
    USERS_OPEN_REGISTRATION: bool = False

+    def _check_default_secret(self, var_name: str, value: str | None) -> None:
+        if value == "changethis":
+            message = (
+                f'The value of {var_name} is "changethis", '
+                "for security, please change it, at least for deployments."
+            )
+            if self.ENVIRONMENT == "local":
+                warnings.warn(message, stacklevel=1)
+            else:
+                raise ValueError(message)
+
+    @model_validator(mode="after")
+    def _enforce_non_default_secrets(self) -> Self:
+        self._check_default_secret("SECRET_KEY", self.SECRET_KEY)
+        self._check_default_secret("POSTGRES_PASSWORD", self.POSTGRES_PASSWORD)
+        self._check_default_secret(
+            "FIRST_SUPERUSER_PASSWORD", self.FIRST_SUPERUSER_PASSWORD
+        )
+
+        return self
+

 settings = Settings()  # type: ignore