diff --git a/.github/workflows/deploy-getcloser.yml b/.github/workflows/deploy-getcloser.yml index 14b9af3..571c406 100644 --- a/.github/workflows/deploy-getcloser.yml +++ b/.github/workflows/deploy-getcloser.yml @@ -47,6 +47,8 @@ jobs: echo "TEAM_SIZE=${{ vars.TEAM_SIZE}}" >> .env echo "PENDING_TIMEOUT_MINUTES=${{ vars.PENDING_TIMEOUT_MINUTES}}" >> .env echo "DATA_DIR_HOST=${{ vars.DATA_DIR_HOST }}" >> .env + echo "SECRET_KEY=${{ secrets.SECRET_KEY }}" >> .env + echo "ENVIRONMENT=prod" >> .env - name: πŸš€ Deploy to PROD run: | diff --git a/getcloser/backend/.env.example b/getcloser/backend/.env.example new file mode 100644 index 0000000..e54c956 --- /dev/null +++ b/getcloser/backend/.env.example @@ -0,0 +1,7 @@ +# DATABASE_URL=postgresql+psycopg2://user:password@db:5432/app_db + +# λ³΄μ•ˆμ„ μœ„ν•΄ λ¬΄μž‘μœ„ λ¬Έμžμ—΄μ„ μƒμ„±ν•˜μ—¬ μ„€μ •ν•˜μ„Έμš”. +# 예: openssl rand -hex 32 +SECRET_KEY=your-super-secret-key-here + +# ACCESS_TOKEN_EXPIRE_MINUTES=60 diff --git a/getcloser/backend/app/core/config.py b/getcloser/backend/app/core/config.py index 898895d..4974341 100644 --- a/getcloser/backend/app/core/config.py +++ b/getcloser/backend/app/core/config.py @@ -1,12 +1,29 @@ import os +from pydantic import field_validator from pydantic_settings import BaseSettings class Settings(BaseSettings): + ENVIRONMENT: str = os.getenv("ENVIRONMENT", "dev") DATABASE_URL: str = os.getenv("DATABASE_URL", "postgresql+psycopg2://user:password@db:5432/app_db") + """ JWT μ•ˆμ“Έ 것 κ°™μ•„ 일단 주석 μ²˜λ¦¬ν•˜κ³  μΆ”ν›„ ν™•μ • μ‹œ μ‚­μ œ """ - SECRET_KEY: str = os.getenv("SECRET_KEY", "change-me-in-prod") + # Secret key for JWT signing. Must be overridden in production using environment variables. + DEFAULT_SECRET_KEY = "default-secret-key-change-it" + SECRET_KEY: str = os.getenv("SECRET_KEY", DEFAULT_SECRET_KEY) + + @field_validator("SECRET_KEY") + @classmethod + def check_secret_key(cls, v, info): + """ + Validate that SECRET_KEY is not using the default placeholder value in production. + """ + env = os.getenv("ENVIRONMENT", "dev").lower() + if env in ["prod", "production"] and v == cls.DEFAULT_SECRET_KEY: + raise ValueError("SECRET_KEY must be a unique, non-default value in production environments.") + return v + ALGORITHM: str = "HS256" ACCESS_TOKEN_EXPIRE_MINUTES: int = int(os.getenv("ACCESS_TOKEN_EXPIRE_MINUTES", "60"))