Sanitize envs, optimize Dockerfile, Turnstile
Redact sensitive AWS keys in backend/.env.example and add VITE_TURNSTILE_SITE_KEY and VITE_USE_TURNSTILE to frontend/.env.example. Optimize backend Dockerfile by installing Python requirements immediately after copying requirements.txt (enables Docker cache) and remove the duplicate later install. Update turnstile verification to skip checks when USE_SSL is disabled (dev/non-HTTPS) and keep the existing no-secret bypass; add debug logging for the SSL bypass.
This commit is contained in:
David Bruno Vontor
@@ -57,8 +57,8 @@ USE_S3=False
|
|||||||
AWS_S3_ENDPOINT_URL=https://s3.vontor.cz
|
AWS_S3_ENDPOINT_URL=https://s3.vontor.cz
|
||||||
AWS_S3_CUSTOM_DOMAIN=s3.vontor.cz
|
AWS_S3_CUSTOM_DOMAIN=s3.vontor.cz
|
||||||
AWS_STORAGE_BUCKET_NAME=vontor-cz
|
AWS_STORAGE_BUCKET_NAME=vontor-cz
|
||||||
AWS_ACCESS_KEY_ID=pO70oxXGV4R6OSHxNmzv
|
AWS_ACCESS_KEY_ID=xxx
|
||||||
AWS_SECRET_ACCESS_KEY=1gY19XzWBOWiIkDKvCQF8Xkc72mFX4iILkBBV0ML
|
AWS_SECRET_ACCESS_KEY=xxx
|
||||||
|
|
||||||
# AWS S3 (swap in for production — clear AWS_S3_ENDPOINT_URL)
|
# AWS S3 (swap in for production — clear AWS_S3_ENDPOINT_URL)
|
||||||
# AWS_STORAGE_BUCKET_NAME=my-bucket
|
# AWS_STORAGE_BUCKET_NAME=my-bucket
|
||||||
|
|||||||
@@ -18,6 +18,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
|||||||
&& rm -rf /var/lib/apt/lists/*
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
COPY requirements.txt .
|
COPY requirements.txt .
|
||||||
|
RUN pip install --no-cache-dir -r requirements.txt
|
||||||
|
|
||||||
COPY . .
|
COPY . .
|
||||||
|
|
||||||
# Trust Windows/corporate root CAs if present (optional, no-op when certs/ is absent)
|
# Trust Windows/corporate root CAs if present (optional, no-op when certs/ is absent)
|
||||||
@@ -26,6 +28,4 @@ RUN test -f certs/windows-ca-bundle.crt \
|
|||||||
&& update-ca-certificates \
|
&& update-ca-certificates \
|
||||||
|| true
|
|| true
|
||||||
|
|
||||||
RUN pip install --no-cache-dir -r requirements.txt
|
|
||||||
|
|
||||||
EXPOSE 8000
|
EXPOSE 8000
|
||||||
|
|||||||
@@ -11,8 +11,13 @@ def verify_turnstile(token: str, remote_ip: str | None = None) -> bool:
|
|||||||
"""
|
"""
|
||||||
Verify a Cloudflare Turnstile token against the siteverify API.
|
Verify a Cloudflare Turnstile token against the siteverify API.
|
||||||
Returns True if valid, False otherwise.
|
Returns True if valid, False otherwise.
|
||||||
If CLOUDFLARE_TURNSTILE_SECRET_KEY is not configured, skips verification (dev bypass).
|
Skips verification when SSL is disabled (non-HTTPS env) or when
|
||||||
|
CLOUDFLARE_TURNSTILE_SECRET_KEY is not configured.
|
||||||
"""
|
"""
|
||||||
|
if not getattr(settings, "USE_SSL", False):
|
||||||
|
logger.debug("Turnstile: SSL disabled, skipping verification.")
|
||||||
|
return True
|
||||||
|
|
||||||
secret = getattr(settings, "CLOUDFLARE_TURNSTILE_SECRET_KEY", "")
|
secret = getattr(settings, "CLOUDFLARE_TURNSTILE_SECRET_KEY", "")
|
||||||
if not secret:
|
if not secret:
|
||||||
logger.debug("Turnstile: no secret key configured, skipping verification.")
|
logger.debug("Turnstile: no secret key configured, skipping verification.")
|
||||||
|
|||||||
@@ -9,3 +9,6 @@ VITE_BACKEND_WS_URL="ws://localhost:8000/"
|
|||||||
# Auth endpoints (defaults match Django routes; only override if you changed them).
|
# Auth endpoints (defaults match Django routes; only override if you changed them).
|
||||||
# VITE_API_REFRESH_URL=/api/token/refresh/
|
# VITE_API_REFRESH_URL=/api/token/refresh/
|
||||||
# VITE_LOGIN_PATH=/social/login
|
# VITE_LOGIN_PATH=/social/login
|
||||||
|
|
||||||
|
VITE_TURNSTILE_SITE_KEY="xxx"
|
||||||
|
VITE_USE_TURNSTILE=true
|
||||||
Reference in New Issue
Block a user