fix: replace hardcoded credentials in docker-compose and harden server/.gitignore (#1527)#1677
Open
carlosjarenom wants to merge 1 commit into
Open
Conversation
…r/.gitignore (eigent-ai#1527) - Replace hardcoded '123456' password with ${POSTGRES_PASSWORD:-123456} in server/docker-compose.yml and server/docker-compose.dev.yml (Postgres service + all database_url references in api, celery_worker, celery_beat) - Add .env and alembic.ini to server/.gitignore to prevent accidental credential commits - Update server/.env.example with CHANGE_ME placeholders for POSTGRES_PASSWORD and secret_key Part 2 of issue eigent-ai#1527 (hardcoded fallback key in chat_share.py) was already addressed in a prior commit.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fix remaining security issues from #1527 (part 2 was already addressed in a prior commit).
Changes
1. Replace hardcoded database passwords in compose files
server/docker-compose.yml: Replace all instances of123456with${POSTGRES_PASSWORD:-123456}POSTGRES_PASSWORDenvironment variable for the Postgres servicedatabase_urlreferences inapi,celery_worker, andcelery_beatservices (both build args and runtime env)server/docker-compose.dev.yml: Same replacement for the Postgres service2. Harden
server/.gitignore.\envto prevent accidental credential commits from the server directoryalembic.iniwhich may contain database connection strings3. Update
server/.env.examplePOSTGRES_PASSWORD=CHANGE_MEplaceholdersecret_key=postgrestosecret_key=CHANGE_MEBackwards Compatibility
All substitutions use
${POSTGRES_PASSWORD:-123456}syntax, so existing deployments that don't setPOSTGRES_PASSWORDwill continue to work with the default value. New deployments can override by setting the variable in their.\envfile.Related