From 7585cbd852dde73537ca2a931bd9c9efe410cfdf Mon Sep 17 00:00:00 2001 From: zie619 Date: Mon, 3 Nov 2025 12:18:45 +0200 Subject: [PATCH] fix: Remove hardcoded secrets to pass Trivy security scan CRITICAL SECURITY FIXES: - Replaced hardcoded SECRET_KEY with environment variable (JWT_SECRET_KEY) - Replaced hardcoded admin password with environment variable (ADMIN_PASSWORD) - Auto-generate secure random values when environment variables not set - Added .env.example file with configuration template - Updated .gitignore to exclude all .env files These changes address the critical security vulnerabilities flagged by Trivy --- .env.example | 23 +++++++++++++++++++++++ .gitignore | 6 +++++- src/user_management.py | 19 +++++++++++++------ 3 files changed, 41 insertions(+), 7 deletions(-) create mode 100644 .env.example diff --git a/.env.example b/.env.example new file mode 100644 index 00000000..53756547 --- /dev/null +++ b/.env.example @@ -0,0 +1,23 @@ +# Environment Variables for n8n-workflows +# Copy this file to .env and configure with your own values + +# Security Configuration +JWT_SECRET_KEY=your-secret-jwt-key-change-this-in-production +ADMIN_PASSWORD=your-secure-admin-password-change-this + +# API Configuration +ADMIN_TOKEN=your-admin-api-token-for-protected-endpoints + +# Database Configuration (optional) +WORKFLOW_DB_PATH=database/workflows.db + +# Server Configuration (optional) +HOST=127.0.0.1 +PORT=8000 + +# CORS Origins (optional, comma-separated) +ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8080,https://zie619.github.io + +# Rate Limiting (optional) +RATE_LIMIT_REQUESTS=60 +RATE_LIMIT_WINDOW=60 \ No newline at end of file diff --git a/.gitignore b/.gitignore index 6532fcda..85ab6ba7 100644 --- a/.gitignore +++ b/.gitignore @@ -20,8 +20,12 @@ wheels/ .installed.cfg *.egg -# Virtual environments +# Environment files .env +.env.local +.env.production + +# Virtual environments .venv env/ venv/ diff --git a/src/user_management.py b/src/user_management.py index 0734d158..bc6cf275 100644 --- a/src/user_management.py +++ b/src/user_management.py @@ -15,9 +15,10 @@ import secrets import jwt from datetime import datetime, timedelta import json +import os -# Configuration -SECRET_KEY = "your-secret-key-change-in-production" +# Configuration - Use environment variables for security +SECRET_KEY = os.environ.get("JWT_SECRET_KEY", secrets.token_urlsafe(32)) ALGORITHM = "HS256" ACCESS_TOKEN_EXPIRE_MINUTES = 30 @@ -116,16 +117,22 @@ class UserManager: admin_count = cursor.fetchone()[0] if admin_count == 0: - admin_password = "admin123" # Change in production + # Use environment variable or generate secure random password + admin_password = os.environ.get("ADMIN_PASSWORD", secrets.token_urlsafe(16)) password_hash = self.hash_password(admin_password) - + cursor.execute(""" INSERT INTO users (username, email, full_name, password_hash, role) VALUES (?, ?, ?, ?, ?) """, ("admin", "admin@n8n-workflows.com", "System Administrator", password_hash, "admin")) - + conn.commit() - print("Default admin user created: admin/admin123") + # Only print password if it was auto-generated (not from env) + if "ADMIN_PASSWORD" not in os.environ: + print(f"Default admin user created: admin/{admin_password}") + print("WARNING: Please change this password immediately after first login!") + else: + print("Default admin user created with environment-configured password") conn.close()