fix: harden startup security — require strong secrets, restrict CORS
- decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now
required env vars; startup raises ValueError if unset or set to a
known-bad default ("admin", "password", etc.)
- decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to
http://localhost:8080) replacing the previous allow_origins=["*"]
- decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods
and allow_headers to explicit lists
- tests/conftest.py: set required env vars at module level so test
collection works without real credentials
- tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD
from env instead of hardcoded "admin"
Closes DEBT-001, DEBT-002, DEBT-004
This commit is contained in:
11
tests/conftest.py
Normal file
11
tests/conftest.py
Normal file
@@ -0,0 +1,11 @@
|
||||
"""
|
||||
Shared pytest configuration.
|
||||
|
||||
Env vars required by decnet.env must be set here, at module level, before
|
||||
any test file imports decnet.* — pytest loads conftest.py first.
|
||||
"""
|
||||
import os
|
||||
|
||||
os.environ.setdefault("DECNET_JWT_SECRET", "test-jwt-secret-not-for-production-use")
|
||||
os.environ.setdefault("DECNET_ADMIN_PASSWORD", "test-admin-password-1234!")
|
||||
os.environ.setdefault("DECNET_ADMIN_USER", "admin")
|
||||
Reference in New Issue
Block a user