fix: replace hardcoded credentials in docker-compose and harden server/.gitignore (#1527)#1677
Conversation
26b59a5 to
965709a
Compare
…r/.gitignore (eigent-ai#1527) - Replace hardcoded '123456' password with ${POSTGRES_PASSWORD:-123456} in server/docker-compose.yml and server/docker-compose.dev.yml (Postgres service + all database_url references in api, celery_worker, celery_beat) - Add .env and alembic.ini to server/.gitignore to prevent accidental credential commits - Update server/.env.example with CHANGE_ME placeholders for POSTGRES_PASSWORD and secret_key Part 2 of issue eigent-ai#1527 (hardcoded fallback key in chat_share.py) was already addressed in a prior commit.
965709a to
cbde07c
Compare
|
Rebased on latest upstream/main and force-pushed. Changes: Replaced hardcoded |
|
Hi @carlosjarenom Thanks for the security cleanup here. One small thing to double-check: Could we keep |
Summary
Fix remaining security issues from #1527 (part 2 was already addressed in a prior commit).
Changes
1. Replace hardcoded database passwords in compose files
server/docker-compose.yml: Replace all instances of123456with${POSTGRES_PASSWORD:-123456}POSTGRES_PASSWORDenvironment variable for the Postgres servicedatabase_urlreferences inapi,celery_worker, andcelery_beatservices (both build args and runtime env)server/docker-compose.dev.yml: Same replacement for the Postgres service2. Harden
server/.gitignore.\envto prevent accidental credential commits from the server directoryalembic.iniwhich may contain database connection strings3. Update
server/.env.examplePOSTGRES_PASSWORD=CHANGE_MEplaceholdersecret_key=postgrestosecret_key=CHANGE_MEBackwards Compatibility
All substitutions use
${POSTGRES_PASSWORD:-123456}syntax, so existing deployments that don't setPOSTGRES_PASSWORDwill continue to work with the default value. New deployments can override by setting the variable in their.\envfile.Related