Brunobrno/vontor-cz
Template
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitize envs, optimize Dockerfile, Turnstile

Browse Source 
Redact sensitive AWS keys in backend/.env.example and add VITE_TURNSTILE_SITE_KEY and VITE_USE_TURNSTILE to frontend/.env.example. Optimize backend Dockerfile by installing Python requirements immediately after copying requirements.txt (enables Docker cache) and remove the duplicate later install. Update turnstile verification to skip checks when USE_SSL is disabled (dev/non-HTTPS) and keep the existing no-secret bypass; add debug logging for the SSL bypass.
This commit is contained in:
David Bruno Vontor
2026-06-11 14:04:23 +02:00
parent 5ca62497b1
commit f4c4a8bfd1
4 changed files with 13 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/.env.example
View File

@@ -57,8 +57,8 @@ USE_S3=False
AWS_S3_ENDPOINT_URL=https://s3.vontor.cz
AWS_S3_CUSTOM_DOMAIN=s3.vontor.cz
AWS_STORAGE_BUCKET_NAME=vontor-cz
AWS_ACCESS_KEY_ID=pO70oxXGV4R6OSHxNmzv
AWS_SECRET_ACCESS_KEY=1gY19XzWBOWiIkDKvCQF8Xkc72mFX4iILkBBV0ML
AWS_ACCESS_KEY_ID=xxx
AWS_SECRET_ACCESS_KEY=xxx
# AWS S3 (swap in for production — clear AWS_S3_ENDPOINT_URL)
# AWS_STORAGE_BUCKET_NAME=my-bucket

4
backend/Dockerfile
View File

@@ -18,6 +18,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
&& rm -rf /var/lib/apt/lists/*
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt
COPY . .
# Trust Windows/corporate root CAs if present (optional, no-op when certs/ is absent)
@@ -26,6 +28,4 @@ RUN test -f certs/windows-ca-bundle.crt \
&& update-ca-certificates \
|| true
RUN pip install --no-cache-dir -r requirements.txt
EXPOSE 8000

7
backend/vontor_cz/turnstile.py
View File

@@ -11,8 +11,13 @@ def verify_turnstile(token: str, remote_ip: str | None = None) -> bool:
"""
Verify a Cloudflare Turnstile token against the siteverify API.
Returns True if valid, False otherwise.
If CLOUDFLARE_TURNSTILE_SECRET_KEY is not configured, skips verification (dev bypass).
Skips verification when SSL is disabled (non-HTTPS env) or when
CLOUDFLARE_TURNSTILE_SECRET_KEY is not configured.
"""
if not getattr(settings, "USE_SSL", False):
logger.debug("Turnstile: SSL disabled, skipping verification.")
return True
secret = getattr(settings, "CLOUDFLARE_TURNSTILE_SECRET_KEY", "")
if not secret:
logger.debug("Turnstile: no secret key configured, skipping verification.")