Complete Section 1 security/auth hardening

2026-04-30 11:35:56 +07:00
parent 432ffbcdb9
commit 12d2d9458f
15 changed files with 863 additions and 232 deletions
--- a/app/main.py
+++ b/app/main.py
@@ -40,6 +40,33 @@ from app.routers import (
 settings = get_settings()


+def validate_security_config() -> None:
+    """
+    Enforce minimum security requirements for production deployments.
+    """
+    if settings.ENVIRONMENT != "production":
+        return
+
+    insecure_secret_values = {
+        "",
+        "dev-secret-key-change-in-production",
+        "your-secret-key-here-change-in-production",
+    }
+    if settings.SECRET_KEY in insecure_secret_values:
+        raise RuntimeError(
+            "In production, SECRET_KEY must be set to a strong non-default value."
+        )
+
+    if settings.ENABLE_ADMIN and (
+        not settings.ADMIN_USERNAME
+        or not settings.ADMIN_PASSWORD
+        or settings.ADMIN_PASSWORD == "change-me"
+    ):
+        raise RuntimeError(
+            "In production with ENABLE_ADMIN=true, ADMIN_USERNAME and ADMIN_PASSWORD must be configured securely."
+        )
+
+
@asynccontextmanager
 async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
    """
@@ -47,6 +74,8 @@ async def lifespan(app: FastAPI) -> AsyncGenerator[None, None]:
    
    Handles startup and shutdown events.
    """
+    validate_security_config()
+
    # Startup: Initialize database
    await init_db()
    if settings.ENABLE_ADMIN: