anti/DECNET
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix: harden startup security — require strong secrets, restrict CORS

Browse Source 
- decnet/env.py: DECNET_JWT_SECRET and DECNET_ADMIN_PASSWORD are now
  required env vars; startup raises ValueError if unset or set to a
  known-bad default ("admin", "password", etc.)
- decnet/env.py: add DECNET_CORS_ORIGINS (comma-separated, defaults to
  http://localhost:8080) replacing the previous allow_origins=["*"]
- decnet/web/api.py: use DECNET_CORS_ORIGINS and tighten allow_methods
  and allow_headers to explicit lists
- tests/conftest.py: set required env vars at module level so test
  collection works without real credentials
- tests/test_web_api.py, test_web_api_fuzz.py: use DECNET_ADMIN_PASSWORD
  from env instead of hardcoded "admin"

Closes DEBT-001, DEBT-002, DEBT-004
This commit is contained in:
anti
2026-04-09 12:13:22 -04:00
parent 29a2cf2738
commit b6b046c90b
5 changed files with 51 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tests/test_web_api_fuzz.py
View File

@@ -8,6 +8,7 @@ import httpx
from decnet.web.api import app
from decnet.web.dependencies import repo
from decnet.env import DECNET_ADMIN_USER, DECNET_ADMIN_PASSWORD
# Re-use setup from test_web_api
@pytest.fixture(scope="function", autouse=True)
@@ -53,7 +54,7 @@ def test_fuzz_change_password(old_password: str, new_password: str) -> None:
"""Fuzz the change-password endpoint with random strings."""
with TestClient(app) as _client:
# Get valid token first
_login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
_login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD})
_token: str = _login_resp.json()["access_token"]
_payload: dict[str, str] = {"old_password": old_password, "new_password": new_password}
@@ -76,7 +77,7 @@ def test_fuzz_change_password(old_password: str, new_password: str) -> None:
def test_fuzz_get_logs(limit: int, offset: int, search: Optional[str]) -> None:
"""Fuzz the logs pagination and search."""
with TestClient(app) as _client:
_login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": "admin", "password": "admin"})
_login_resp: httpx.Response = _client.post("/api/v1/auth/login", json={"username": DECNET_ADMIN_USER, "password": DECNET_ADMIN_PASSWORD})
_token: str = _login_resp.json()["access_token"]
_params: dict[str, Any] = {"limit": limit, "offset": offset}