68da26588a
- Add INTERNAL_SECRET shared-secret auth to /internal/nc-upload endpoint
- Add JWT token validation to WebSocket /ws/versions/{version_id}
- Fix NameError: band_slug → band.slug in internal.py
- Move inline imports to top of internal.py; add missing Member/NextcloudClient imports
- Remove ~15 debug print() statements from auth.py
- Replace Content-Type-only avatar check with extension whitelist + Pillow Image.verify()
- Sanitize exception details in versions.py (no more str(e) in 4xx/5xx responses)
- Restrict CORS allow_methods/allow_headers from "*" to explicit lists
- Add security headers middleware: X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Reduce JWT expiry from 7 days to 1 hour
- Add Pillow>=10.0 dependency; document INTERNAL_SECRET in .env.example
- Implement missing RedisJobQueue.dequeue() method (required by protocol)
- Fix 5 pre-existing unit test failures: settings env vars conftest, deferred Redis push,
dequeue method, AsyncMock→MagicMock for sync scalar_one_or_none
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
23 lines
1.4 KiB
Plaintext
23 lines
1.4 KiB
Plaintext
# ── Security ──────────────────────────────────────────────────────────────────
|
|
# Generate with: openssl rand -hex 32
|
|
SECRET_KEY=replace_me_with_32_byte_hex
|
|
# Shared secret for internal service-to-service calls (nc-watcher → API)
|
|
# Generate with: openssl rand -hex 32
|
|
INTERNAL_SECRET=replace_me_with_32_byte_hex
|
|
|
|
# ── Domain ────────────────────────────────────────────────────────────────────
|
|
DOMAIN=yourdomain.com
|
|
ACME_EMAIL=admin@yourdomain.com
|
|
|
|
# ── PostgreSQL ────────────────────────────────────────────────────────────────
|
|
POSTGRES_DB=rehearsalhub
|
|
POSTGRES_USER=rh_user
|
|
POSTGRES_PASSWORD=change_me
|
|
|
|
# ── Nextcloud (external instance) ────────────────────────────────────────────
|
|
# Full URL to your Nextcloud, e.g. https://cloud.example.com
|
|
NEXTCLOUD_URL=https://cloud.example.com
|
|
# A dedicated Nextcloud user for RehearsalHub (admin or a service account)
|
|
NEXTCLOUD_USER=rh_service
|
|
NEXTCLOUD_PASS=change_me
|