chore: implement security best practices (non-root Docker, configurable CORS, sanitized logs)

Author: RinZ27

Dockerfile

@@ -38,20 +38,30 @@ RUN apt-get update \
     libpq5 \
     && rm -rf /var/lib/apt/lists/*
 
+# Create a non-root user
+RUN groupadd -r appuser && useradd -r -g appuser appuser
+
 # Set the working directory
 WORKDIR /app
 
 # Copy virtual environment from builder
 COPY --from=builder /app/.venv /app/.venv
 
-# Copy application code
-COPY --from=builder /app/intentkit /app/intentkit
-COPY --from=builder /app/app /app/app
-COPY --from=builder /app/scripts /app/scripts
+# Copy application code with correct ownership
+COPY --from=builder --chown=appuser:appuser /app/intentkit /app/intentkit
+COPY --from=builder --chown=appuser:appuser /app/app /app/app
+COPY --from=builder --chown=appuser:appuser /app/scripts /app/scripts
+
+# Switch to non-root user
+USER appuser
 
 ARG RELEASE=local
 ENV RELEASE=$RELEASE
 ENV PATH="/app/.venv/bin:$PATH"
 
+# Create a non-root user for better security
+RUN useradd -ms /bin/bash appuser && chown -R appuser:appuser /app
+USER appuser
+
 # Command to run the application
 CMD ["uvicorn", "app.api:app", "--host", "0.0.0.0", "--port", "80"]

app/api.py

@@ -114,7 +114,7 @@ def _load_agent_api_docs() -> str:
 # Add CORS middleware to the Agent API sub-application
 _ = agent_app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # Allows all origins
+    allow_origins=config.cors_allow_origins,  # Allows configured origins
     allow_methods=["*"],  # Allows all methods
     allow_headers=["*"],  # Allows all headers
 )
@@ -187,7 +187,7 @@ async def lifespan(app: FastAPI):
 # Add CORS middleware
 _ = app.add_middleware(
     CORSMiddleware,
-    allow_origins=["*"],  # Allows all origins
+    allow_origins=config.cors_allow_origins,  # Allows configured origins
     allow_methods=["*"],  # Allows all methods
     allow_headers=["*"],  # Allows all headers
 )

docs/go.mod

@@ -1,7 +1,3 @@
 module github.com/crestalnetwork/intentkit/docs
 
 go 1.22
-
-require (
-	github.com/imfing/hextra v0.11.1 // indirect
-)

docs/go.sum

@@ -1,2 +0,0 @@
-github.com/imfing/hextra v0.11.1 h1:8pTc4ReYbzGTHAnyiebmlT3ijFfIXiGu1r7tM/UGjFI=
-github.com/imfing/hextra v0.11.1/go.mod h1:cEfel3lU/bSx7lTE/+uuR4GJaphyOyiwNR3PTqFTXpI=

integrations/telegram/go.sum

@@ -1,5 +1,3 @@
-filippo.io/edwards25519 v1.1.0 h1:FNf4tywRC1HmFuKW5xopWpigGjJKiJSV0Cqo0cJWDaA=
-filippo.io/edwards25519 v1.1.0/go.mod h1:BxyFTGdWcka3PhytdK4V28tE5sGfRvvvRV7EaN4VDT4=
 filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
 filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
 github.com/andybalholm/brotli v1.2.0 h1:ukwgCxwYrmACq68yiUqwIWnGY0cTPox/M94sVwToPjQ=
@@ -16,8 +14,6 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/go-resty/resty/v2 v2.17.1 h1:x3aMpHK1YM9e4va/TMDRlusDDoZiQ+ViDu/WpA6xTM4=
-github.com/go-resty/resty/v2 v2.17.1/go.mod h1:kCKZ3wWmwJaNc7S29BRtUhJwy7iqmn+2mLtQrOyQlVA=
 github.com/go-resty/resty/v2 v2.17.2 h1:FQW5oHYcIlkCNrMD2lloGScxcHJ0gkjshV3qcQAyHQk=
 github.com/go-resty/resty/v2 v2.17.2/go.mod h1:kCKZ3wWmwJaNc7S29BRtUhJwy7iqmn+2mLtQrOyQlVA=
 github.com/go-sql-driver/mysql v1.9.3 h1:U/N249h2WzJ3Ukj8SowVFjdtZKfu9vlLZxjPXV1aweo=
@@ -32,7 +28,6 @@ github.com/grbit/go-json v0.11.0 h1:bAbyMdYrYl/OjYsSqLH99N2DyQ291mHy726Mx+sYrnc=
 github.com/grbit/go-json v0.11.0/go.mod h1:IYpHsdybQ386+6g3VE6AXQ3uTGa5mquBme5/ZWmtzek=
 github.com/hack-fan/config v0.0.0-20200528030741-0a9be90586b6 h1:AoJN0N5BcQtK9JBPEFC+Qb06R6Hd6ML3VIVkYCdzknM=
 github.com/hack-fan/config v0.0.0-20200528030741-0a9be90586b6/go.mod h1:pNBw7sPcXydnQFm0YXMynTZdFqKXtFetAL2cy6DulLM=
-github.com/iancoleman/strcase v0.0.0-20191112232945-16388991a334 h1:VHgatEHNcBFEB7inlalqfNqw65aNkM1lGX2yt3NmbS8=
 github.com/iancoleman/strcase v0.0.0-20191112232945-16388991a334/go.mod h1:SK73tn/9oHe+/Y0h39VT4UCxmurVJkR5NA7kMEAOgSE=
 github.com/iancoleman/strcase v0.3.0 h1:nTXanmYxhfFAMjZL34Ov6gkzEsSJZ5DbhxWjvSASxEI=
 github.com/iancoleman/strcase v0.3.0/go.mod h1:iwCmte+B7n89clKwxIoIXy/HfoL7AsD47ZCWhYzw7ho=
@@ -89,8 +84,6 @@ github.com/valyala/bytebufferpool v1.0.0 h1:GqA5TC/0021Y/b9FG4Oi9Mr3q7XYx6Kllzaw
 github.com/valyala/bytebufferpool v1.0.0/go.mod h1:6bBcMArwyJ5K/AmCkWv1jt77kVWyCJ6HpOuEn7z0Csc=
 github.com/valyala/fasthttp v1.69.0 h1:fNLLESD2SooWeh2cidsuFtOcrEi4uB4m1mPrkJMZyVI=
 github.com/valyala/fasthttp v1.69.0/go.mod h1:4wA4PfAraPlAsJ5jMSqCE2ug5tqUPwKXxVj8oNECGcw=
-github.com/valyala/fastjson v1.6.7 h1:ZE4tRy0CIkh+qDc5McjatheGX2czdn8slQjomexVpBM=
-github.com/valyala/fastjson v1.6.7/go.mod h1:CLCAqky6SMuOcxStkYQvblddUtoRxhYMGLrsQns1aXY=
 github.com/valyala/fastjson v1.6.10 h1:/yjJg8jaVQdYR3arGxPE2X5z89xrlhS0eGXdv+ADTh4=
 github.com/valyala/fastjson v1.6.10/go.mod h1:e6FubmQouUNP73jtMLmcbxS6ydWIpOfhz34TSfO3JaE=
 github.com/xyproto/randomstring v1.0.5 h1:YtlWPoRdgMu3NZtP45drfy1GKoojuR7hmRcnhZqKjWU=
@@ -115,7 +108,6 @@ gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
-gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=

intentkit/config/config.py

@@ -114,6 +114,11 @@ def __init__(self) -> None:
         self.open_api_base_url: str = self.load(
             "OPEN_API_BASE_URL", "http://localhost:8000"
         )
+        # CORS
+        cors_origins_raw = self.load("CORS_ALLOW_ORIGINS", "*")
+        self.cors_allow_origins: list[str] = [
+            o.strip() for o in cors_origins_raw.split(",") if o.strip()
+        ]
         # CDP SDK Configuration
         self.cdp_api_key_id: str | None = self.load("CDP_API_KEY_ID")
         self.cdp_api_key_secret: str | None = self.load("CDP_API_KEY_SECRET")

intentkit/wallets/privy_client.py

@@ -244,10 +244,9 @@ async def create_wallet(
 
             if response.status_code not in (200, 201):
                 logger.info(
-                    "Privy create_wallet response: status=%s auth_sig_count=%s body=%s",
+                    "Privy create_wallet response: status=%s auth_sig_count=%s",
                     response.status_code,
                     signature_count,
-                    response.text,
                 )
 
                 raise IntentKitAPIError(
@@ -351,12 +350,11 @@ async def sign_message(self, wallet_id: str, message: str) -> str:
 
             if response.status_code not in (200, 201):
                 logger.info(
-                    "Privy rpc response: wallet_id=%s method=%s status=%s auth_sig_count=%s body=%s",
+                    "Privy rpc response: wallet_id=%s method=%s status=%s auth_sig_count=%s",
                     wallet_id,
                     payload.get("method"),
                     response.status_code,
                     signature_count,
-                    response.text,
                 )
 
                 raise IntentKitAPIError(
@@ -428,12 +426,11 @@ async def sign_hash(self, wallet_id: str, hash_bytes: bytes) -> str:
 
             if response.status_code not in (200, 201):
                 logger.info(
-                    "Privy rpc response: wallet_id=%s method=%s status=%s auth_sig_count=%s body=%s",
+                    "Privy rpc response: wallet_id=%s method=%s status=%s auth_sig_count=%s",
                     wallet_id,
                     payload.get("method"),
                     response.status_code,
                     signature_count,
-                    response.text,
                 )
 
                 raise IntentKitAPIError(
@@ -497,12 +494,11 @@ async def sign_typed_data(self, wallet_id: str, typed_data: dict[str, Any]) -> s
 
             if response.status_code not in (200, 201):
                 logger.info(
-                    "Privy rpc response: wallet_id=%s method=%s status=%s auth_sig_count=%s body=%s",
+                    "Privy rpc response: wallet_id=%s method=%s status=%s auth_sig_count=%s",
                     wallet_id,
                     payload.get("method"),
                     response.status_code,
                     signature_count,
-                    response.text,
                 )
 
                 raise IntentKitAPIError(
@@ -580,18 +576,17 @@ async def send_transaction(
 
             if response.status_code not in (200, 201):
                 logger.info(
-                    "Privy rpc response: wallet_id=%s method=%s status=%s auth_sig_count=%s body=%s",
+                    "Privy rpc response: wallet_id=%s method=%s status=%s auth_sig_count=%s",
                     wallet_id,
                     payload.get("method"),
                     response.status_code,
                     signature_count,
-                    response.text,
                 )
 
                 raise IntentKitAPIError(
                     response.status_code,
                     "PrivyAPIError",
-                    f"Failed to send transaction: {response.text}",
+                    "Failed to send transaction with Privy wallet",
                 )
 
             data_response = response.json()