mirror of
https://github.com/th30d4y/OpenLearnX.git
synced 2026-05-26 11:25:49 +00:00
Fix security concerns - restrictive file permissions and remove secret logging
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
@@ -29,7 +29,6 @@ def admin_required(f):
|
||||
return jsonify({"error": "Invalid authorization format"}), 401
|
||||
|
||||
token = auth_header.split(' ')[1] if len(auth_header.split(' ')) > 1 else None
|
||||
print(f"Extracted token: '{token}'")
|
||||
|
||||
# Check environment variable - no fallback for security
|
||||
expected_token = os.getenv('ADMIN_TOKEN')
|
||||
@@ -37,9 +36,6 @@ def admin_required(f):
|
||||
print("❌ ADMIN_TOKEN environment variable not set")
|
||||
return jsonify({"error": "Server configuration error: ADMIN_TOKEN not configured"}), 500
|
||||
|
||||
print(f"Expected token: '{expected_token}'")
|
||||
print(f"Environment ADMIN_TOKEN: '{os.getenv('ADMIN_TOKEN')}'")
|
||||
|
||||
# Strip any whitespace from both tokens
|
||||
if token and expected_token:
|
||||
if token.strip() == expected_token.strip():
|
||||
|
||||
@@ -21,6 +21,7 @@ JWT_SECRET = os.getenv('JWT_SECRET')
|
||||
if not JWT_SECRET:
|
||||
import warnings
|
||||
import tempfile
|
||||
import stat
|
||||
warnings.warn("JWT_SECRET environment variable not set. Using persistent dev secret.", UserWarning)
|
||||
# Use persistent file-based secret for development to avoid invalidating tokens on restart
|
||||
_secret_file = os.path.join(tempfile.gettempdir(), '.openlearnx_dev_jwt_secret_auth')
|
||||
@@ -33,6 +34,8 @@ if not JWT_SECRET:
|
||||
JWT_SECRET = _secrets.token_hex(32)
|
||||
with open(_secret_file, 'w') as f:
|
||||
f.write(JWT_SECRET)
|
||||
# Set restrictive permissions (owner read/write only)
|
||||
os.chmod(_secret_file, stat.S_IRUSR | stat.S_IWUSR)
|
||||
except Exception:
|
||||
import secrets as _secrets
|
||||
JWT_SECRET = _secrets.token_hex(32)
|
||||
|
||||
Reference in New Issue
Block a user