fix(security): validate credentials and prevent weak defaults

seapagan · seapagan · commit f20797ba3a07 · 2025-12-29T13:54:18.000Z
Replace hardcoded default credentials with sentinel values and add
comprehensive validation to prevent insecure deployments.

Changes:
- Replace weak defaults in settings.py with CHANGE_ME_IN_ENV_FILE
- Add validators for SECRET_KEY, DB_PASSWORD, and DB_USER
- Enforce minimum 32-character length for SECRET_KEY
- Detect and reject known weak passwords and default values
- Update .env.example with clear instructions and secure placeholders
- Add comprehensive test coverage for all validators (100% coverage)
- Extract MIN_SECRET_KEY_LENGTH constant to avoid magic numbers

Security impact:
- Prevents accidental production deployment with default credentials
- Forces proper configuration before application startup
- Provides clear error messages with remediation steps
diff --git a/.env.example b/.env.example
@@ -18,10 +18,11 @@ BASE_URL=http://localhost:8000
 # not set, defaults to False.
 NO_ROOT_ROUTE=False
 
-# Database Settings These must be changed to match your setup, and the database
-# must already exist.
-DB_USER=dbuser
-DB_PASSWORD=my_secret_passw0rd
+# Database Settings - REQUIRED
+# These must be changed to match your PostgreSQL setup.
+# The database must already exist before running the application.
+DB_USER=your_database_username
+DB_PASSWORD=your_secure_database_password
 DB_ADDRESS=localhost
 DB_PORT=5432
 DB_NAME=my_database_name
@@ -32,9 +33,12 @@ DB_NAME=my_database_name
 # already exist.
 TEST_DB_NAME=my_database_name_tests
 
-# generate your own super secret key here, used by the JWT functions.
-# 32 characters or longer, definately change the below!!
-SECRET_KEY=change_me_to_something_secret
+# JWT Secret Key - CRITICAL SECURITY SETTING
+# Generate with one of these commands:
+#   openssl rand -hex 32
+#   python -c 'import secrets; print(secrets.token_hex(32))'
+# Must be 32+ characters. DO NOT use the example below!
+SECRET_KEY=CHANGE_ME_generate_with_command_above
 
 # How long the access token is valid for, in minutes. Defaults to 120 (2 hours)
 ACCESS_TOKEN_EXPIRE_MINUTES=120
@@ -44,19 +48,23 @@ ACCESS_TOKEN_EXPIRE_MINUTES=120
 # If you want all origins to access (the default), use * or comment out:
 CORS_ORIGINS=*
 
-# Email Settings specific to your email provider
-MAIL_USERNAME=test_username
-MAIL_PASSWORD=s3cr3tma1lp@ssw0rd
-MAIL_FROM=test@email.com
+# Email Settings - OPTIONAL for development, REQUIRED for production
+# Set these for password reset and notification emails to work
+# Leave empty for local development (email features will be disabled)
+MAIL_USERNAME=your_smtp_username
+MAIL_PASSWORD=your_smtp_password
+MAIL_FROM=noreply@yourdomain.com
 MAIL_PORT=587
-MAIL_SERVER=mail.server.com
+MAIL_SERVER=smtp.yourmailprovider.com
 MAIL_FROM_NAME="FastAPI Template"
 
 # Admin Pages Settings
 ADMIN_PAGES_ENABLED=True
 ADMIN_PAGES_ROUTE=/admin
 ADMIN_PAGES_TITLE="API Administration"
-ADMIN_PAGES_ENCRYPTION_KEY=change_me_to_a_secret_fernet_key (optional)
+# Optional: Generate with: python -c 'from cryptography.fernet import Fernet; print(Fernet.generate_key().decode())'
+# Leave empty to auto-generate on startup (regenerates each restart)
+ADMIN_PAGES_ENCRYPTION_KEY=
 ADMIN_PAGES_TIMEOUT=86400
 
 # Common Email Settings
diff --git a/app/config/settings.py b/app/config/settings.py
@@ -22,14 +22,24 @@
     logger.error("Please run 'api-admin custom init' to regenerate defaults.")
     sys.exit(1)
 
+# Security validation constants
+MIN_SECRET_KEY_LENGTH = 32
+
 
 class Settings(BaseSettings):
     """Main Settings class.
 
     This allows to set some defaults, that can be overwritten from the .env
     file if it exists.
-    Do NOT put passwords and similar in here, use the .env file instead, it will
-    not be stored in the Git repository.
+
+    SECURITY WARNING: Critical settings (SECRET_KEY, DB_PASSWORD, DB_USER)
+    MUST be set in your .env file. The application will fail to start if
+    these are not properly configured with secure values.
+
+    Do NOT put real passwords in this file - use the .env file instead
+    (it's in .gitignore and won't be stored in Git).
+
+    To get started, copy .env.example to .env and update the values.
     """
 
     project_root: Path = get_project_root()
@@ -45,23 +55,28 @@ class Settings(BaseSettings):
     cors_origins: str = "*"
 
     # Setup the Postgresql database.
-    db_user: str = "my_db_username"
-    db_password: str = "Sup3rS3cr3tP455w0rd"  # noqa: S105
+    # IMPORTANT: Set DB_USER and DB_PASSWORD in your .env file!
+    db_user: str = "CHANGE_ME_IN_ENV_FILE"
+    db_password: str = "CHANGE_ME_IN_ENV_FILE"  # noqa: S105
     db_address: str = "localhost"
     db_port: str = "5432"
     db_name: str = "api-template"
 
     test_with_postgres: bool = False
 
     # Setup the TEST Postgresql database.
-    test_db_user: str = "my_db_username"
-    test_db_password: str = "Sup3rS3cr3tP455w0rd"  # noqa: S105
+    # Note: Safe defaults for local/CI testing only
+    test_db_user: str = "test_user"
+    test_db_password: str = "test_password_local_only"  # noqa: S105
     test_db_address: str = "localhost"
     test_db_port: str = "5432"
     test_db_name: str = "api-template-test"
 
-    # JTW secret Key
-    secret_key: str = "32DigitsofSecretNumbers"  # noqa: S105
+    # JWT secret Key - CRITICAL SECURITY SETTING
+    # Generate with: openssl rand -hex 32
+    # Or Python: import secrets; secrets.token_hex(32)
+    # Set SECRET_KEY in your .env file!
+    secret_key: str = "CHANGE_ME_IN_ENV_FILE"  # noqa: S105
     access_token_expire_minutes: int = 120
 
     # Custom Metadata
@@ -73,9 +88,11 @@ class Settings(BaseSettings):
     year: str = custom_metadata.year
 
     # email settings
-    mail_username: str = "test_username"
-    mail_password: str = "s3cr3tma1lp@ssw0rd"  # noqa: S105
-    mail_from: str = "test@email.com"
+    # Note: Set these in .env for production email functionality
+    # Email features will fail gracefully if not configured
+    mail_username: str = ""
+    mail_password: str = ""
+    mail_from: str = ""
     mail_port: int = 587
     mail_server: str = "mail.server.com"
     mail_from_name: str = "FASTAPI Template"
@@ -106,6 +123,80 @@ def check_api_root(cls: type[Settings], value: str) -> str:
             return value[:-1]
         return value
 
+    @field_validator("secret_key")
+    @classmethod
+    def validate_secret_key(cls: type[Settings], value: str) -> str:
+        """Ensure secret key is not a weak or default value."""
+        weak_keys = [
+            "CHANGE_ME_IN_ENV_FILE",
+            "32DigitsofSecretNumbers",
+            "CHANGE_ME",
+            "secret",
+            "secretkey",
+        ]
+        if value.lower() in [k.lower() for k in weak_keys]:
+            msg = (
+                "\n"
+                "=" * 70 + "\n"
+                "SECURITY ERROR: SECRET_KEY is using a weak/default value!\n"
+                "=" * 70 + "\n"
+                "Generate a strong key with one of these commands:\n"
+                "  openssl rand -hex 32\n"
+                "  python -c 'import secrets; print(secrets.token_hex(32))'\n\n"
+                "Then add it to your .env file:\n"
+                "  SECRET_KEY=your_generated_key_here\n"
+                "=" * 70
+            )
+            raise ValueError(msg)
+        if len(value) < MIN_SECRET_KEY_LENGTH:
+            msg = (
+                f"SECRET_KEY must be at least {MIN_SECRET_KEY_LENGTH} "
+                f"characters for security. Current length: {len(value)}"
+            )
+            raise ValueError(msg)
+        return value
+
+    @field_validator("db_password")
+    @classmethod
+    def validate_db_password(cls: type[Settings], value: str) -> str:
+        """Ensure database password is not a weak or default value."""
+        weak_passwords = [
+            "CHANGE_ME_IN_ENV_FILE",
+            "Sup3rS3cr3tP455w0rd",
+            "CHANGE_ME",
+            "password",
+            "admin",
+        ]
+        if value in weak_passwords:
+            msg = (
+                "\n"
+                "=" * 70 + "\n"
+                "SECURITY ERROR: DB_PASSWORD is using a weak/default value!\n"
+                "=" * 70 + "\n"
+                "Set a strong database password in your .env file:\n"
+                "  DB_PASSWORD=your_secure_password_here\n"
+                "=" * 70
+            )
+            raise ValueError(msg)
+        return value
+
+    @field_validator("db_user")
+    @classmethod
+    def validate_db_user(cls: type[Settings], value: str) -> str:
+        """Ensure database user is not a default value."""
+        if value == "CHANGE_ME_IN_ENV_FILE":
+            msg = (
+                "\n"
+                "=" * 70 + "\n"
+                "CONFIGURATION ERROR: DB_USER is not set!\n"
+                "=" * 70 + "\n"
+                "Set your database username in your .env file:\n"
+                "  DB_USER=your_database_username\n"
+                "=" * 70
+            )
+            raise ValueError(msg)
+        return value
+
 
 @lru_cache
 def get_settings() -> Settings:
diff --git a/tests/unit/test_validation.py b/tests/unit/test_validation.py
