fix: Remove hardcoded secrets to pass Trivy security scan

CRITICAL SECURITY FIXES: - Replaced hardcoded SECRET_KEY with environment variable (JWT_SECRET_KEY) - Replaced hardcoded admin password with environment variable (ADMIN_PASSWORD) - Auto-generate secure random values when environment variables not set - Added .env.example file with configuration template - Updated .gitignore to exclude all .env files These changes address the critical security vulnerabilities flagged by Trivy
2025-11-25 03:15:25 +08:00 · 2025-11-03 12:18:45 +02:00
parent f2712336c1
commit 7585cbd852
3 changed files with 41 additions and 7 deletions
--- a/.env.example
+++ b/.env.example
@@ -0,0 +1,23 @@
+# Environment Variables for n8n-workflows
+# Copy this file to .env and configure with your own values
+
+# Security Configuration
+JWT_SECRET_KEY=your-secret-jwt-key-change-this-in-production
+ADMIN_PASSWORD=your-secure-admin-password-change-this
+
+# API Configuration
+ADMIN_TOKEN=your-admin-api-token-for-protected-endpoints
+
+# Database Configuration (optional)
+WORKFLOW_DB_PATH=database/workflows.db
+
+# Server Configuration (optional)
+HOST=127.0.0.1
+PORT=8000
+
+# CORS Origins (optional, comma-separated)
+ALLOWED_ORIGINS=http://localhost:3000,http://localhost:8080,https://zie619.github.io
+
+# Rate Limiting (optional)
+RATE_LIMIT_REQUESTS=60
+RATE_LIMIT_WINDOW=60
--- a/.gitignore
+++ b/.gitignore
@@ -20,8 +20,12 @@ wheels/
 .installed.cfg
 *.egg

-# Virtual environments
+# Environment files
 .env
+.env.local
+.env.production
+
+# Virtual environments
 .venv
 env/
 venv/
--- a/src/user_management.py
+++ b/src/user_management.py
@@ -15,9 +15,10 @@ import secrets
 import jwt
 from datetime import datetime, timedelta
 import json
+import os

-# Configuration
-SECRET_KEY = "your-secret-key-change-in-production"
+# Configuration - Use environment variables for security
+SECRET_KEY = os.environ.get("JWT_SECRET_KEY", secrets.token_urlsafe(32))
 ALGORITHM = "HS256"
 ACCESS_TOKEN_EXPIRE_MINUTES = 30

@@ -116,7 +117,8 @@ class UserManager:
        admin_count = cursor.fetchone()[0]
        
        if admin_count == 0:
-            admin_password = "admin123"  # Change in production
+            # Use environment variable or generate secure random password
+            admin_password = os.environ.get("ADMIN_PASSWORD", secrets.token_urlsafe(16))
            password_hash = self.hash_password(admin_password)

            cursor.execute("""
@@ -125,7 +127,12 @@ class UserManager:
            """, ("admin", "admin@n8n-workflows.com", "System Administrator", password_hash, "admin"))

            conn.commit()
-            print("Default admin user created: admin/admin123")
+            # Only print password if it was auto-generated (not from env)
+            if "ADMIN_PASSWORD" not in os.environ:
+                print(f"Default admin user created: admin/{admin_password}")
+                print("WARNING: Please change this password immediately after first login!")
+            else:
+                print("Default admin user created with environment-configured password")
        
        conn.close()