0x5t4l1n/OpenLearnX
1
0
Fork 0
mirror of https://github.com/th30d4y/OpenLearnX.git synced 2026-05-26 19:26:33 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix critical security vulnerabilities - remove hardcoded secrets

Browse Source 
Co-authored-by: Stalin-143 <161853795+Stalin-143@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
2026-01-31 18:40:21 +00:00
parent d8b8a57aab
commit f04fc76eb9
6 changed files with 80 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files
backend/main.py
+22 -3
View File
@@ -110,16 +110,35 @@ def check_docker_availability():
# ✅ ENHANCED: Flask app configuration with your .env variables # ✅ ENHANCED: Flask app configuration with your .env variables
app = Flask(__name__) app = Flask(__name__)
def get_required_secret(env_var: str, description: str) -> str:
"""Get required secret from environment, raise error if not set"""
value = os.getenv(env_var)
if not value:
raise ValueError(f"{description} ({env_var}) must be set in environment variables for security. Do not use default values for secrets.")
return value
# Validate required secrets at startup
try:
_secret_key = get_required_secret('SECRET_KEY', 'Flask secret key')
_jwt_secret_key = get_required_secret('JWT_SECRET_KEY', 'JWT secret key')
_admin_token = get_required_secret('ADMIN_TOKEN', 'Admin authentication token')
except ValueError as e:
print(f"⚠️ SECURITY WARNING: {e}")
print("⚠️ Using insecure defaults for development only. Set proper secrets in production!")
_secret_key = os.getenv('SECRET_KEY', os.urandom(32).hex())
_jwt_secret_key = os.getenv('JWT_SECRET_KEY', os.urandom(32).hex())
_admin_token = os.getenv('ADMIN_TOKEN', os.urandom(16).hex())
app.config.update( app.config.update(
SECRET_KEY=os.getenv('SECRET_KEY', 'your-super-secret-key-change-this-in-production-openlearnx-2024'), SECRET_KEY=_secret_key,
MONGODB_URI=os.getenv('MONGODB_URI', 'mongodb://localhost:27017/'), MONGODB_URI=os.getenv('MONGODB_URI', 'mongodb://localhost:27017/'),
WEB3_PROVIDER_URL=os.getenv('WEB3_PROVIDER_URL', 'http://127.0.0.1:8545'), WEB3_PROVIDER_URL=os.getenv('WEB3_PROVIDER_URL', 'http://127.0.0.1:8545'),
CONTRACT_ADDRESS=os.getenv('CONTRACT_ADDRESS', '0x739f0aCef964f87Bc7974D972a811f8417d74B4C'), CONTRACT_ADDRESS=os.getenv('CONTRACT_ADDRESS', '0x739f0aCef964f87Bc7974D972a811f8417d74B4C'),
DEPLOYER_PRIVATE_KEY=os.getenv('DEPLOYER_PRIVATE_KEY'), DEPLOYER_PRIVATE_KEY=os.getenv('DEPLOYER_PRIVATE_KEY'),
MINTER_PRIVATE_KEY=os.getenv('MINTER_PRIVATE_KEY'), MINTER_PRIVATE_KEY=os.getenv('MINTER_PRIVATE_KEY'),
ADMIN_TOKEN=os.getenv('ADMIN_TOKEN', 'admin-secret-key'), ADMIN_TOKEN=_admin_token,
# ✅ JWT Configuration from your .env # ✅ JWT Configuration from your .env
JWT_SECRET_KEY=os.getenv('JWT_SECRET_KEY', 'openlearnx-jwt-secret-key-change-in-production'), JWT_SECRET_KEY=_jwt_secret_key,
JWT_ACCESS_TOKEN_EXPIRES=timedelta(hours=int(os.getenv('JWT_EXPIRATION_HOURS', 168))), JWT_ACCESS_TOKEN_EXPIRES=timedelta(hours=int(os.getenv('JWT_EXPIRATION_HOURS', 168))),
# ✅ IPFS Configuration from your .env # ✅ IPFS Configuration from your .env
IPFS_GATEWAY=os.getenv('IPFS_GATEWAY', 'https://ipfs.infura.io:5001'), IPFS_GATEWAY=os.getenv('IPFS_GATEWAY', 'https://ipfs.infura.io:5001'),
backend/routes/admin.py
+3 -2
View File
@@ -31,10 +31,11 @@ def admin_required(f):
token = auth_header.split(' ')[1] if len(auth_header.split(' ')) > 1 else None token = auth_header.split(' ')[1] if len(auth_header.split(' ')) > 1 else None
print(f"Extracted token: '{token}'") print(f"Extracted token: '{token}'")
# Check environment variable first, then fallback to default # Check environment variable - no fallback for security
expected_token = os.getenv('ADMIN_TOKEN') expected_token = os.getenv('ADMIN_TOKEN')
if not expected_token: if not expected_token:
expected_token = 'admin-secret-key' print("❌ ADMIN_TOKEN environment variable not set")
return jsonify({"error": "Server configuration error: ADMIN_TOKEN not configured"}), 500
print(f"Expected token: '{expected_token}'") print(f"Expected token: '{expected_token}'")
print(f"Environment ADMIN_TOKEN: '{os.getenv('ADMIN_TOKEN')}'") print(f"Environment ADMIN_TOKEN: '{os.getenv('ADMIN_TOKEN')}'")
backend/routes/auth.py
+7 -2
View File
@@ -16,8 +16,13 @@ mongo_uri = os.getenv('MONGODB_URI', 'mongodb://localhost:27017/')
client = MongoClient(mongo_uri) client = MongoClient(mongo_uri)
db = client.openlearnx db = client.openlearnx
# JWT secret # JWT secret - must be set via environment variable
JWT_SECRET = os.getenv('JWT_SECRET', 'your-secret-key-here') JWT_SECRET = os.getenv('JWT_SECRET')
if not JWT_SECRET:
import warnings
warnings.warn("JWT_SECRET environment variable not set. Using randomly generated secret.", UserWarning)
import secrets as _secrets
JWT_SECRET = _secrets.token_hex(32)
@bp.route('/nonce', methods=['POST', 'OPTIONS']) @bp.route('/nonce', methods=['POST', 'OPTIONS'])
def get_nonce(): def get_nonce():
frontend/app/admin/login/page.tsx
+2 -2
View File
@@ -15,9 +15,9 @@ export default function AdminLogin() {
// Check if already authenticated // Check if already authenticated
const checkExistingAuth = async () => { const checkExistingAuth = async () => {
const token = localStorage.getItem('admin_token') const token = localStorage.getItem('admin_token')
if (token === 'admin-secret-key') { if (token) {
try { try {
// Verify token with API // Verify token with API - no hardcoded secret check
const response = await fetch('http://127.0.0.1:5000/api/admin/courses', { const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
headers: { 'Authorization': `Bearer ${token}` } headers: { 'Authorization': `Bearer ${token}` }
}) })
frontend/app/admin/page.tsx
+39 -46
View File
@@ -62,6 +62,23 @@ export default function AdminDashboard() {
const router = useRouter() const router = useRouter()
// Authentication logic // Authentication logic
// Helper function to get admin token from localStorage
const getAdminToken = (): string | null => {
if (typeof window !== 'undefined') {
return localStorage.getItem('admin_token')
}
return null
}
// Helper function to get authorization headers
const getAuthHeaders = (): Record<string, string> => {
const token = getAdminToken()
return {
'Authorization': token ? `Bearer ${token}` : '',
'Content-Type': 'application/json'
}
}
useEffect(() => { useEffect(() => {
setIsClient(true) setIsClient(true)
@@ -69,31 +86,28 @@ export default function AdminDashboard() {
try { try {
await new Promise(resolve => setTimeout(resolve, 500)) await new Promise(resolve => setTimeout(resolve, 500))
const token = localStorage.getItem('admin_token') const token = getAdminToken()
if (!token) { if (!token) {
router.push('/admin/login') router.push('/admin/login')
return return
} }
if (token === 'admin-secret-key') { // Verify token with API - no hardcoded secret check
try { try {
const response = await fetch('http://127.0.0.1:5000/api/admin/courses', { const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
headers: { 'Authorization': `Bearer ${token}` } headers: { 'Authorization': `Bearer ${token}` }
}) })
if (response.ok) { if (response.ok) {
setIsAuthenticated(true)
fetchData()
} else {
localStorage.removeItem('admin_token')
router.push('/admin/login')
}
} catch (apiError) {
setIsAuthenticated(true) setIsAuthenticated(true)
fetchData() fetchData()
} else {
localStorage.removeItem('admin_token')
router.push('/admin/login')
} }
} else { } catch (apiError) {
// If API is unavailable, don't allow access without verification
localStorage.removeItem('admin_token') localStorage.removeItem('admin_token')
router.push('/admin/login') router.push('/admin/login')
} }
@@ -114,10 +128,7 @@ export default function AdminDashboard() {
const fetchCourses = async () => { const fetchCourses = async () => {
try { try {
const response = await fetch('http://127.0.0.1:5000/api/admin/courses', { const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
headers: { headers: getAuthHeaders()
'Authorization': 'Bearer admin-secret-key',
'Content-Type': 'application/json'
}
}) })
if (!response.ok) { if (!response.ok) {
@@ -141,7 +152,7 @@ export default function AdminDashboard() {
const fetchStats = async () => { const fetchStats = async () => {
try { try {
const response = await fetch('http://127.0.0.1:5000/api/admin/dashboard', { const response = await fetch('http://127.0.0.1:5000/api/admin/dashboard', {
headers: { 'Authorization': 'Bearer admin-secret-key' } headers: getAuthHeaders()
}) })
if (response.ok) { if (response.ok) {
const data = await response.json() const data = await response.json()
@@ -161,10 +172,7 @@ export default function AdminDashboard() {
console.log('🔍 Fetching modules for course:', courseId) // Debug log console.log('🔍 Fetching modules for course:', courseId) // Debug log
const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}/modules`, { const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}/modules`, {
headers: { headers: getAuthHeaders()
'Authorization': 'Bearer admin-secret-key',
'Content-Type': 'application/json'
}
}) })
console.log('🔍 Modules response status:', response.status) // Debug log console.log('🔍 Modules response status:', response.status) // Debug log
@@ -209,10 +217,7 @@ export default function AdminDashboard() {
console.log('🔍 Fetching lessons for module:', moduleId) // Debug log console.log('🔍 Fetching lessons for module:', moduleId) // Debug log
const response = await fetch(`http://127.0.0.1:5000/api/admin/modules/${moduleId}/lessons`, { const response = await fetch(`http://127.0.0.1:5000/api/admin/modules/${moduleId}/lessons`, {
headers: { headers: getAuthHeaders()
'Authorization': 'Bearer admin-secret-key',
'Content-Type': 'application/json'
}
}) })
console.log('🔍 Lessons response status:', response.status) // Debug log console.log('🔍 Lessons response status:', response.status) // Debug log
@@ -253,10 +258,7 @@ export default function AdminDashboard() {
try { try {
const response = await fetch('http://127.0.0.1:5000/api/admin/courses', { const response = await fetch('http://127.0.0.1:5000/api/admin/courses', {
method: 'POST', method: 'POST',
headers: { headers: getAuthHeaders(),
'Content-Type': 'application/json',
'Authorization': 'Bearer admin-secret-key'
},
body: JSON.stringify(formData) body: JSON.stringify(formData)
}) })
@@ -277,10 +279,7 @@ export default function AdminDashboard() {
try { try {
const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}`, { const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}`, {
method: 'PUT', method: 'PUT',
headers: { headers: getAuthHeaders(),
'Content-Type': 'application/json',
'Authorization': 'Bearer admin-secret-key'
},
body: JSON.stringify(formData) body: JSON.stringify(formData)
}) })
@@ -301,7 +300,7 @@ export default function AdminDashboard() {
try { try {
const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}`, { const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}`, {
method: 'DELETE', method: 'DELETE',
headers: { 'Authorization': 'Bearer admin-secret-key' } headers: getAuthHeaders()
}) })
if (response.ok) { if (response.ok) {
@@ -333,10 +332,7 @@ export default function AdminDashboard() {
const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${selectedCourse?.id}/modules`, { const response = await fetch(`http://127.0.0.1:5000/api/admin/courses/${selectedCourse?.id}/modules`, {
method: 'POST', method: 'POST',
headers: { headers: getAuthHeaders(),
'Content-Type': 'application/json',
'Authorization': 'Bearer admin-secret-key'
},
body: JSON.stringify(formData) body: JSON.stringify(formData)
}) })
@@ -358,10 +354,7 @@ export default function AdminDashboard() {
const response = await fetch(`http://127.0.0.1:5000/api/admin/modules/${moduleId}/lessons`, { const response = await fetch(`http://127.0.0.1:5000/api/admin/modules/${moduleId}/lessons`, {
method: 'POST', method: 'POST',
headers: { headers: getAuthHeaders(),
'Content-Type': 'application/json',
'Authorization': 'Bearer admin-secret-key'
},
body: JSON.stringify(formData) body: JSON.stringify(formData)
}) })
frontend/app/courses/[courseId]/page.tsx
+7 -32
View File
@@ -108,37 +108,20 @@ export default function CoursePage() {
let modulesData = null let modulesData = null
let modulesResponse = null let modulesResponse = null
// Use public endpoint for course page (not admin endpoint)
try { try {
modulesResponse = await fetch(`http://127.0.0.1:5000/api/admin/courses/${courseId}/modules`, { modulesResponse = await fetch(`http://127.0.0.1:5000/api/courses/${courseId}/modules`, {
headers: { headers: {
'Authorization': 'Bearer admin-secret-key',
'Content-Type': 'application/json' 'Content-Type': 'application/json'
} }
}) })
if (modulesResponse.ok) { if (modulesResponse.ok) {
modulesData = await modulesResponse.json() modulesData = await modulesResponse.json()
console.log('✅ Modules loaded from admin endpoint:', modulesData) console.log('✅ Modules loaded from public endpoint:', modulesData)
}
} catch (adminError) {
console.log('⚠️ Admin endpoint failed, trying public endpoint')
}
if (!modulesData || !modulesResponse?.ok) {
try {
modulesResponse = await fetch(`http://127.0.0.1:5000/api/courses/${courseId}/modules`, {
headers: {
'Content-Type': 'application/json'
}
})
if (modulesResponse.ok) {
modulesData = await modulesResponse.json()
console.log('✅ Modules loaded from public endpoint:', modulesData)
}
} catch (publicError) {
console.error('❌ Both module endpoints failed')
} }
} catch (publicError) {
console.error('❌ Module endpoint failed')
} }
if (modulesData) { if (modulesData) {
@@ -185,21 +168,13 @@ export default function CoursePage() {
try { try {
console.log('🔍 Fetching lessons for module:', module.id) console.log('🔍 Fetching lessons for module:', module.id)
let lessonsResponse = await fetch(`http://127.0.0.1:5000/api/admin/modules/${module.id}/lessons`, { // Use public endpoint for course page (not admin endpoint)
const lessonsResponse = await fetch(`http://127.0.0.1:5000/api/modules/${module.id}/lessons`, {
headers: { headers: {
'Authorization': 'Bearer admin-secret-key',
'Content-Type': 'application/json' 'Content-Type': 'application/json'
} }
}) })
if (!lessonsResponse.ok) {
lessonsResponse = await fetch(`http://127.0.0.1:5000/api/modules/${module.id}/lessons`, {
headers: {
'Content-Type': 'application/json'
}
})
}
if (lessonsResponse.ok) { if (lessonsResponse.ok) {
const lessonData = await lessonsResponse.json() const lessonData = await lessonsResponse.json()
console.log(`✅ Lessons loaded for module ${module.id}:`, lessonData) console.log(`✅ Lessons loaded for module ${module.id}:`, lessonData)